Skip to content

Commit

Permalink
Feat(#199): getting the webtop to run a bit now with broader permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
@commjoen
commjoen committed Mar 7, 2023
1 parent e5946b1 commit e500573
Showing 1 changed file with 12 additions and 11 deletions.
23 changes: 12 additions & 11 deletions wrongsecrets-balancer/src/kubernetes.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,8 @@ const createNameSpaceForTeam = async (team) => {
},
labels: {
name: `t-${team}`,
'pod-security.kubernetes.io/enforce': 'restricted',
'pod-security.kubernetes.io/audit': 'restricted',
'pod-security.kubernetes.io/enforce': 'baseline',
},
};
k8sCoreApi.createNamespace(namedNameSpace).catch((error) => {
Expand Down Expand Up @@ -1073,11 +1074,11 @@ const createDesktopDeploymentForTeam = async ({ team, passcodeHash }) => {
},
spec: {
serviceAccountName: 'webtop-sa',
securityContext: {
runAsUser: 1000,
runAsGroup: 1000,
fsGroup: 1000,
},
// securityContext: {
// runAsUser: 1000,
// runAsGroup: 1000,
// fsGroup: 1000,
// },
containers: [
{
name: 'virtualdesktop',
Expand All @@ -1098,10 +1099,10 @@ const createDesktopDeploymentForTeam = async ({ team, passcodeHash }) => {
},
// resources: get('virtualdesktop.resources'),
securityContext: {
allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true,
runAsNonRoot: true,
capabilities: { drop: ['ALL'] },
allowPrivilegeEscalation: true,
readOnlyRootFilesystem: false,
runAsNonRoot: false,
capabilities: { drop: ['ALL'], add:['CAP_SETGID','CAP_SETUID','CAP_CHOWN'] },
seccompProfile: { type: 'RuntimeDefault' },
},
env: [...get('virtualdesktop.env', [])],
Expand Down Expand Up @@ -1140,7 +1141,7 @@ const createDesktopDeploymentForTeam = async ({ team, passcodeHash }) => {
{
emptyDir: {
medium: 'Memory',
sizeLimit: '128Mi',
sizeLimit: '200Mi',
},
name: 'config-fs',
},
Expand Down

0 comments on commit e500573

Please sign in to comment.