cscott/apigateway-ocp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added scc script for sa
Some checks failed
Helm Publish / publish (push) Failing after 4m21s
Details

Browse Source 
disabled run as non root
disabled metrics
This commit is contained in:
Conan Scott
2025-12-12 18:04:33 +11:00
parent a153c1db3b
commit 99f425d503
3 changed files with 41 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
scc-updates.sh Executable file
View File

@@ -0,0 +1,10 @@
oc adm policy add-scc-to-user privileged -z apim-gateway-aga -n apim
oc adm policy add-scc-to-user privileged -z apim-gateway-anm -n apim
oc adm policy add-scc-to-user privileged -z apim-gateway-apimgr -n apim
oc adm policy add-scc-to-user privileged -z apim-gateway-apitraffic -n apim
oc adm policy add-scc-to-user privileged -z apim-gateway-tests -n apim
oc adm policy add-scc-to-user anyuid -z apim-gateway-aga -n apim
oc adm policy add-scc-to-user anyuid -z apim-gateway-anm -n apim
oc adm policy add-scc-to-user anyuid -z apim-gateway-apimgr -n apim
oc adm policy add-scc-to-user anyuid -z apim-gateway-apitraffic -n apim
oc adm policy add-scc-to-user anyuid -z apim-gateway-tests -n apim

46
values-override.yaml
View File

@@ -81,12 +81,12 @@ global:
volumeName: apim-opentraffic
initContainers:
securityContext:
runAsNonRoot: true
# runAsNonRoot: true
database:
host: metrics-db.apim.svc.cluster.local
databaseName: metrics
metrics:
enabled: true
enabled: false
username: "root"
password: "6KhW3Pl_rOc=f2I4"
sslMode: "NONE"
@@ -95,7 +95,7 @@ global:
enabled: true
hosts:
- variable: CASS_HOST
hostname: cassandra-dc1-service.cassandra4.svc.cluster.local
hostname: cassandra-dc1-service.cassandra.svc.cluster.local
username: cassandra
password: cassandra
keyspace: ks
@@ -115,7 +115,7 @@ anm:
memory: "1Gi"
cpu: "250m"
securityContext:
runAsNonRoot: true
#runAsNonRoot: true
route:
enabled: true
targetPort: "{{ .Values.anm.service.ports.traffic.port }}"
@@ -178,10 +178,10 @@ anm:
extraEnvVars:
- name: EMT_DEPLOYMENT_ENABLED
value: "true"
- name: ACCEPT_GENERAL_CONDITIONS
value: "yes"
- name: APIGW_LOG_OPENTRAFFIC_OUTPUT
value: "file"
#- name: ACCEPT_GENERAL_CONDITIONS
# value: "yes"
#- name: APIGW_LOG_OPENTRAFFIC_OUTPUT
# value: "file"
- name: API_BUILDER_URL
value: "https://axway-elk-apim4elastic-apibuilder4elastic.apim4elastic:8443"
@@ -201,7 +201,7 @@ apimgr:
memory: "0.5Gi"
cpu: 0.5
securityContext:
runAsNonRoot: true
# runAsNonRoot: true
route:
enabled: true
annotations:
@@ -266,10 +266,10 @@ apimgr:
value: "10"
- name: EMT_DEPLOYMENT_ENABLED
value: "true"
- name: ACCEPT_GENERAL_CONDITIONS
value: "yes"
- name: APIGW_LOG_OPENTRAFFIC_OUTPUT
value: "file"
#- name: ACCEPT_GENERAL_CONDITIONS
# value: "yes"
#- name: APIGW_LOG_OPENTRAFFIC_OUTPUT
# value: "file"
license:
license.lic: |
FIPS=1
@@ -316,7 +316,7 @@ apitraffic:
targetCPUUtilizationPercentage: 80
replicaCount: 1
securityContext:
runAsNonRoot: true
#runAsNonRoot: true
oauth:
enabled: true
type: ClusterIP
@@ -442,8 +442,8 @@ apitraffic:
value: /opt/Axway/apigateway/groups/topologylinks/emt-group-emt-service/trace
- name: EMT_TOPOLOGY_TTL
value: "10"
- name: APIGW_LOG_OPENTRAFFIC_OUTPUT
value: "file"
#- name: APIGW_LOG_OPENTRAFFIC_OUTPUT
# value: "file"
- name: EMT_DEPLOYMENT_ENABLED
value: "true"
- name: ENV_SECRET_EXAMPLE
@@ -451,8 +451,8 @@ apitraffic:
secretKeyRef:
name: apim-gateway-cassandra
key: username
- name: ACCEPT_GENERAL_CONDITIONS
value: "yes"
#- name: ACCEPT_GENERAL_CONDITIONS
# value: "yes"
license:
license.lic: |
FIPS=1
@@ -572,7 +572,7 @@ apiportal:
# fsGroup: 1048
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
#runAsNonRoot: true
aga:
enabled: false
@@ -619,16 +619,16 @@ aga:
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
extraEnvVars:
- name: ACCEPT_GENERAL_CONDITIONS
value: "yes"
extraEnvVars: {}
# - name: ACCEPT_GENERAL_CONDITIONS
# value: "yes"
podAnnotations: {}
podSecurityContext: {}
securityContext:
allowPrivilegeEscalation: false
#NOTE readOnlyRootFilesystem should be left to false
# readOnlyRootFilesystem: false
runAsNonRoot: true
#runAsNonRoot: true
service:
type: ClusterIP
ports:

16
values.yaml
View File

@@ -28,7 +28,7 @@ global:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
#runAsNonRoot: true
allowPrivilegeEscalation: false
updateStrategy:
# RollingUpdate or Recreate
@@ -240,7 +240,7 @@ global:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
#runAsNonRoot: true
serviceAccount:
# Specifies whether a service account should be created
create: true
@@ -302,7 +302,7 @@ anm:
allowPrivilegeEscalation: false
# NOTE: readOnlyRootFilesystem should be left to false
# readOnlyRootFilesystem: false
runAsNonRoot: true
#runAsNonRoot: true
service:
type: ClusterIP
ports:
@@ -465,7 +465,7 @@ apimgr:
allowPrivilegeEscalation: false
# NOTE: readOnlyRootFilesystem should be left to false
# readOnlyRootFilesystem: false
runAsNonRoot: true
#runAsNonRoot: true
service:
type: ClusterIP
ports:
@@ -644,7 +644,7 @@ apitraffic:
allowPrivilegeEscalation: false
# NOTE: readOnlyRootFilesystem should be left to false
# readOnlyRootFilesystem: false
runAsNonRoot: true
# runAsNonRoot: true
service:
type: ClusterIP
ports:
@@ -841,7 +841,7 @@ aga:
allowPrivilegeEscalation: false
# NOTE: readOnlyRootFilesystem should be left to false
# readOnlyRootFilesystem: false
runAsNonRoot: true
#runAsNonRoot: true
service:
type: ClusterIP
ports:
@@ -1062,7 +1062,7 @@ apiportal:
# fsGroup: 1048
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
#runAsNonRoot: true
# ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {}
# limits:
@@ -1171,7 +1171,7 @@ tests:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
#runAsNonRoot: true
serviceAccount:
# Specifies whether a service account should be created
create: true