search

mathieu-benoit / my-kubernetes-deployments

0 stars 0 forks source link

asm-ingress - Unprivileged deployment #10

Closed mathieu-benoit closed 3 years ago

mathieu-benoit commented 3 years ago

Like it was the case originally https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages/pull/979

mathieu-benoit commented 3 years ago

Here is the Deployment resource to accomplish this:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: asm-ingressgateway
spec:
  selector:
    matchLabels:
      app: asm-ingressgateway
      asm: ingressgateway
  template:
    metadata:
      annotations:
        # This is required to tell Anthos Service Mesh to inject the gateway with the
        # required configuration.
        inject.istio.io/templates: gateway
      labels:
        app: asm-ingressgateway
        asm: ingressgateway
    spec:
      containers:
      - name: istio-proxy
        image: auto # The image will automatically update each time the pod starts.
        env:
        - name: ISTIO_META_UNPRIVILEGED_POD
          value: "true"
        ports:
        - containerPort: 15021
          protocol: TCP
        - containerPort: 8080
          protocol: TCP
        - containerPort: 8443
          protocol: TCP
        resources:
          limits:
            cpu: 2000m
            memory: 1024Mi
          requests:
            cpu: 100m
            memory: 128Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - all
          privileged: false
          readOnlyRootFilesystem: true
      securityContext:
        fsGroup: 1337
        runAsGroup: 1337
        runAsNonRoot: true
        runAsUser: 1337
      serviceAccountName: asm-ingressgateway