gemini changes

2026-03-07 23:29:56 +11:00
parent 900f8f23aa
commit 8fe712cda7
4 changed files with 78 additions and 46 deletions
--- a/manifests/deployment.yaml
+++ b/manifests/deployment.yaml
@@ -20,19 +20,21 @@ spec:
      serviceAccountName: clawd-sa
      securityContext:
        fsGroup: 1000
+        runAsNonRoot: true
      initContainers:
        - name: setup-ssh
-          image: docker.io/alpine:latest
+          image: busybox:latest
          command:
            - sh
            - -c
            - |
-              # 1. Fix data volume permissions
-              chown -R 1000:0 /data && chmod -R 775 /data
-
-              # 2. Setup writable SSH tirectory from Secret
+              # Fix data volume permissions if needed
+              # Note: On some systems this requires root in the init container
+              # but often fsGroup handles this.
+              mkdir -p /data/ssh && chmod 775 /data
+              
+              # Setup writable SSH directory from Secret
              cp /mnt/keys/authorized_keys /working-ssh/
-              chown 1000:0 /working-ssh/authorized_keys
              chmod 600 /working-ssh/authorized_keys
          volumeMounts:
            - name: data-volume
@@ -45,20 +47,7 @@ spec:
        - name: clawdbox
          image: default-route-openshift-image-registry.apps.lab.apilab.us/clawdbox/clawdbox:latest
          imagePullPolicy: Always
-          command:
-            - /bin/bash
-            - "-c"
-            - |
-              mkdir -p /data/ssh
-              if [ ! -f /data/ssh/ssh_host_rsa_key ]; then
-                echo 'Generating persistent host keys...'
-                ssh-keygen -f /data/ssh/ssh_host_rsa_key -N '' -t rsa
-                ssh-keygen -f /data/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
-                ssh-keygen -f /data/ssh/ssh_host_ed25519_key -N '' -t ed25519
-              fi
-              chmod 600 /data/ssh/ssh_host_*_key
-              # Run sshd with PAM disabled and logging to stderr
-              /usr/sbin/sshd -D -e -f /etc/ssh/sshd_config -o UsePAM=no
+          # CMD is defined in Dockerfile, no need to override unless changing behavior
          ports:
            - containerPort: 2222
              name: ssh
@@ -90,17 +79,18 @@ spec:
              name: kubeconfig-secret
          resources:
            limits:
-              memory: "1Gi"
-              cpu: "1000m"
+              memory: "2Gi"
+              cpu: "2000m"
            requests:
-              memory: "128Mi"
-              cpu: "250m"
+              memory: "256Mi"
+              cpu: "500m"
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
-            allowPrivilegeEscalation: true
+            allowPrivilegeEscalation: false
            capabilities:
-              add: ["CAP_AUDIT_WRITE"]
+              drop: ["ALL"]
+              add: ["NET_BIND_SERVICE"]
      volumes:
        - name: data-volume
          persistentVolumeClaim:
--- a/manifests/rbac.yaml
+++ b/manifests/rbac.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: clawd-sa
+  namespace: clawdbox
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: clawd-sa-edit
+  namespace: clawdbox
+subjects:
+  - kind: ServiceAccount
+    name: clawd-sa
+    namespace: clawdbox
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: edit
--- a/manifests/route.yaml
+++ b/manifests/route.yaml
@@ -1,16 +1,16 @@
 apiVersion: route.openshift.io/v1
 kind: Route
 metadata:
-  name: openclaw
-  namespace: openclaw
+  name: clawdbox
+  namespace: clawdbox
 spec:
  host: clawdbox.apps.lab.apilab.us
  to:
    kind: Service
-    name: clawrganizer
+    name: clawdbox
    weight: 100
  port:
-    targetPort: http
+    targetPort: ssh
  tls:
    termination: edge
    insecureEdgeTerminationPolicy: Redirect