apiVersion: apps/v1 kind: Deployment metadata: name: clawdbox namespace: clawdbox labels: app: clawdbox spec: replicas: 1 selector: matchLabels: app: clawdbox strategy: type: Recreate template: metadata: labels: app: clawdbox spec: serviceAccountName: clawd-sa initContainers: - name: setup-ssh image: docker.io/alpine:latest command: - sh - -c - | # 1. Fix data volume permissions chown -R 1000:0 /data && chmod -R 775 /data # 2. Setup writable SSH tirectory from Secret cp /mnt/keys/authorized_keys /working-ssh/ chown 1000:0 /working-ssh/authorized_keys chmod 600 /working-ssh/authorized_keys volumeMounts: - name: data-volume mountPath: /data - name: ssh-keys-secret mountPath: /mnt/keys - name: ssh-working mountPath: /working-ssh containers: - name: clawdbox image: default-route-openshift-image-registry.apps.lab.apilab.us/clawdbox/clawdbox:latest imagePullPolicy: Always command: - /bin/bash - "-c" - | mkdir -p /data/ssh if [ ! -f /data/ssh/ssh_host_rsa_key ]; then echo 'Generating persistent host keys...' ssh-keygen -f /data/ssh/ssh_host_rsa_key -N '' -t rsa ssh-keygen -f /data/ssh/ssh_host_ecdsa_key -N '' -t ecdsa ssh-keygen -f /data/ssh/ssh_host_ed25519_key -N '' -t ed25519 fi chmod 600 /data/ssh/ssh_host_*_key # Run sshd with PAM disabled and logging to stderr /usr/sbin/sshd -D -e -f /etc/ssh/sshd_config -o UsePAM=no ports: - containerPort: 2222 name: ssh volumeMounts: - mountPath: /data name: data-volume - mountPath: /home/claw/.ssh name: ssh-working resources: limits: memory: "2Gi" cpu: "1000m" requests: memory: "512Mi" cpu: "250m" securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 allowPrivilegeEscalation: true volumes: - name: data-volume persistentVolumeClaim: claimName: clawdbox-pvc - name: ssh-keys-secret secret: secretName: clawdbox-ssh-keys defaultMode: 0600 - name: ssh-working emptyDir: {}