diff --git a/scc-updates.sh b/scc-updates.sh new file mode 100755 index 0000000..d66d859 --- /dev/null +++ b/scc-updates.sh @@ -0,0 +1,10 @@ +oc adm policy add-scc-to-user privileged -z apim-gateway-aga -n apim +oc adm policy add-scc-to-user privileged -z apim-gateway-anm -n apim +oc adm policy add-scc-to-user privileged -z apim-gateway-apimgr -n apim +oc adm policy add-scc-to-user privileged -z apim-gateway-apitraffic -n apim +oc adm policy add-scc-to-user privileged -z apim-gateway-tests -n apim +oc adm policy add-scc-to-user anyuid -z apim-gateway-aga -n apim +oc adm policy add-scc-to-user anyuid -z apim-gateway-anm -n apim +oc adm policy add-scc-to-user anyuid -z apim-gateway-apimgr -n apim +oc adm policy add-scc-to-user anyuid -z apim-gateway-apitraffic -n apim +oc adm policy add-scc-to-user anyuid -z apim-gateway-tests -n apim diff --git a/values-override.yaml b/values-override.yaml index bfbe0ee..4374f2c 100644 --- a/values-override.yaml +++ b/values-override.yaml @@ -81,12 +81,12 @@ global: volumeName: apim-opentraffic initContainers: securityContext: - runAsNonRoot: true + # runAsNonRoot: true database: host: metrics-db.apim.svc.cluster.local databaseName: metrics metrics: - enabled: true + enabled: false username: "root" password: "6KhW3Pl_rOc=f2I4" sslMode: "NONE" @@ -95,7 +95,7 @@ global: enabled: true hosts: - variable: CASS_HOST - hostname: cassandra-dc1-service.cassandra4.svc.cluster.local + hostname: cassandra-dc1-service.cassandra.svc.cluster.local username: cassandra password: cassandra keyspace: ks @@ -115,7 +115,7 @@ anm: memory: "1Gi" cpu: "250m" securityContext: - runAsNonRoot: true + #runAsNonRoot: true route: enabled: true targetPort: "{{ .Values.anm.service.ports.traffic.port }}" @@ -178,10 +178,10 @@ anm: extraEnvVars: - name: EMT_DEPLOYMENT_ENABLED value: "true" - - name: ACCEPT_GENERAL_CONDITIONS - value: "yes" - - name: APIGW_LOG_OPENTRAFFIC_OUTPUT - value: "file" + #- name: ACCEPT_GENERAL_CONDITIONS + # value: "yes" + #- name: APIGW_LOG_OPENTRAFFIC_OUTPUT + # value: "file" - name: API_BUILDER_URL value: "https://axway-elk-apim4elastic-apibuilder4elastic.apim4elastic:8443" @@ -201,7 +201,7 @@ apimgr: memory: "0.5Gi" cpu: 0.5 securityContext: - runAsNonRoot: true + # runAsNonRoot: true route: enabled: true annotations: @@ -266,10 +266,10 @@ apimgr: value: "10" - name: EMT_DEPLOYMENT_ENABLED value: "true" - - name: ACCEPT_GENERAL_CONDITIONS - value: "yes" - - name: APIGW_LOG_OPENTRAFFIC_OUTPUT - value: "file" + #- name: ACCEPT_GENERAL_CONDITIONS + # value: "yes" + #- name: APIGW_LOG_OPENTRAFFIC_OUTPUT + # value: "file" license: license.lic: | FIPS=1 @@ -316,7 +316,7 @@ apitraffic: targetCPUUtilizationPercentage: 80 replicaCount: 1 securityContext: - runAsNonRoot: true + #runAsNonRoot: true oauth: enabled: true type: ClusterIP @@ -442,8 +442,8 @@ apitraffic: value: /opt/Axway/apigateway/groups/topologylinks/emt-group-emt-service/trace - name: EMT_TOPOLOGY_TTL value: "10" - - name: APIGW_LOG_OPENTRAFFIC_OUTPUT - value: "file" + #- name: APIGW_LOG_OPENTRAFFIC_OUTPUT + # value: "file" - name: EMT_DEPLOYMENT_ENABLED value: "true" - name: ENV_SECRET_EXAMPLE @@ -451,8 +451,8 @@ apitraffic: secretKeyRef: name: apim-gateway-cassandra key: username - - name: ACCEPT_GENERAL_CONDITIONS - value: "yes" + #- name: ACCEPT_GENERAL_CONDITIONS + # value: "yes" license: license.lic: | FIPS=1 @@ -572,7 +572,7 @@ apiportal: # fsGroup: 1048 securityContext: allowPrivilegeEscalation: false - runAsNonRoot: true + #runAsNonRoot: true aga: enabled: false @@ -619,16 +619,16 @@ aga: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" - extraEnvVars: - - name: ACCEPT_GENERAL_CONDITIONS - value: "yes" + extraEnvVars: {} + # - name: ACCEPT_GENERAL_CONDITIONS + # value: "yes" podAnnotations: {} podSecurityContext: {} securityContext: allowPrivilegeEscalation: false #NOTE readOnlyRootFilesystem should be left to false # readOnlyRootFilesystem: false - runAsNonRoot: true + #runAsNonRoot: true service: type: ClusterIP ports: diff --git a/values.yaml b/values.yaml index 3148478..65385b6 100644 --- a/values.yaml +++ b/values.yaml @@ -28,7 +28,7 @@ global: drop: - ALL readOnlyRootFilesystem: true - runAsNonRoot: true + #runAsNonRoot: true allowPrivilegeEscalation: false updateStrategy: # RollingUpdate or Recreate @@ -240,7 +240,7 @@ global: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - runAsNonRoot: true + #runAsNonRoot: true serviceAccount: # Specifies whether a service account should be created create: true @@ -302,7 +302,7 @@ anm: allowPrivilegeEscalation: false # NOTE: readOnlyRootFilesystem should be left to false # readOnlyRootFilesystem: false - runAsNonRoot: true + #runAsNonRoot: true service: type: ClusterIP ports: @@ -465,7 +465,7 @@ apimgr: allowPrivilegeEscalation: false # NOTE: readOnlyRootFilesystem should be left to false # readOnlyRootFilesystem: false - runAsNonRoot: true + #runAsNonRoot: true service: type: ClusterIP ports: @@ -644,7 +644,7 @@ apitraffic: allowPrivilegeEscalation: false # NOTE: readOnlyRootFilesystem should be left to false # readOnlyRootFilesystem: false - runAsNonRoot: true + # runAsNonRoot: true service: type: ClusterIP ports: @@ -841,7 +841,7 @@ aga: allowPrivilegeEscalation: false # NOTE: readOnlyRootFilesystem should be left to false # readOnlyRootFilesystem: false - runAsNonRoot: true + #runAsNonRoot: true service: type: ClusterIP ports: @@ -1062,7 +1062,7 @@ apiportal: # fsGroup: 1048 securityContext: allowPrivilegeEscalation: false - runAsNonRoot: true + #runAsNonRoot: true # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} # limits: @@ -1171,7 +1171,7 @@ tests: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - runAsNonRoot: true + #runAsNonRoot: true serviceAccount: # Specifies whether a service account should be created create: true