Skip to content

Commit 6584af3

Browse files
committed
make root optional
1 parent 124a179 commit 6584af3

File tree

3 files changed

+10
-1
lines changed

3 files changed

+10
-1
lines changed

charts/rancher-backup/templates/deployment.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,8 +24,10 @@ spec:
2424
prometheus.io/scrape: "true"
2525
{{ end }}
2626
spec:
27+
{{- if .Values.securityContext.runAsNonRoot }}
2728
securityContext:
2829
fsGroup: 1000
30+
{{- end }}
2931
serviceAccountName: {{ include "backupRestore.serviceAccountName" . }}
3032
{{- if .Values.imagePullSecrets }}
3133
imagePullSecrets:
@@ -40,9 +42,11 @@ spec:
4042
imagePullPolicy: {{ default "Always" .Values.imagePullPolicy }}
4143
securityContext:
4244
allowPrivilegeEscalation: false
45+
{{- if .Values.securityContext.runAsNonRoot }}
4346
runAsNonRoot: true
4447
runAsUser: 1000
4548
runAsGroup: 1000
49+
{{- end }}
4650
ports:
4751
- containerPort: 8080
4852
args:

charts/rancher-backup/values.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,3 +90,9 @@ monitoring:
9090
additionalLabels: {}
9191
metricRelabelings: []
9292
relabelings: []
93+
94+
securityContext:
95+
## When persisting backup files to a PVC of type HostPath, set securityContext.runAsNonRoot to false.
96+
## Only processes running as 'root' can write to HostPath PVCs so Backups will fail in that scenario if not running as 'root'.
97+
## However, this goes against Kubernetes security best practices and should be avoided whenever possible.
98+
runAsNonRoot: true

package/Dockerfile

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,5 +12,4 @@ RUN ./scripts/build
1212

1313
FROM registry.suse.com/bci/bci-micro:latest
1414
COPY --from=builder /usr/src/app/bin/backup-restore-operator /usr/bin/
15-
USER 1000
1615
ENTRYPOINT ["backup-restore-operator"]

0 commit comments

Comments
 (0)