cscott/apigateway-ocp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added scc script for sa
Some checks failed
Helm Publish / publish (push) Failing after 4m21s
Details

Browse Source 
disabled run as non root
disabled metrics
This commit is contained in:
Conan Scott
2025-12-12 18:04:33 +11:00
parent a153c1db3b
commit 99f425d503
3 changed files with 41 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
scc-updates.sh Executable file
View File

@@ -0,0 +1,10 @@
oc adm policy add-scc-to-user privileged -z apim-gateway-aga -n apim
oc adm policy add-scc-to-user privileged -z apim-gateway-anm -n apim
oc adm policy add-scc-to-user privileged -z apim-gateway-apimgr -n apim
oc adm policy add-scc-to-user privileged -z apim-gateway-apitraffic -n apim
oc adm policy add-scc-to-user privileged -z apim-gateway-tests -n apim
oc adm policy add-scc-to-user anyuid -z apim-gateway-aga -n apim
oc adm policy add-scc-to-user anyuid -z apim-gateway-anm -n apim
oc adm policy add-scc-to-user anyuid -z apim-gateway-apimgr -n apim
oc adm policy add-scc-to-user anyuid -z apim-gateway-apitraffic -n apim
oc adm policy add-scc-to-user anyuid -z apim-gateway-tests -n apim

46
values-override.yaml
View File

@@ -81,12 +81,12 @@ global:
volumeName: apim-opentraffic volumeName: apim-opentraffic
initContainers: initContainers:
securityContext: securityContext:
runAsNonRoot: true # runAsNonRoot: true
database: database:
host: metrics-db.apim.svc.cluster.local host: metrics-db.apim.svc.cluster.local
databaseName: metrics databaseName: metrics
metrics: metrics:
enabled: true enabled: false
username: "root" username: "root"
password: "6KhW3Pl_rOc=f2I4" password: "6KhW3Pl_rOc=f2I4"
sslMode: "NONE" sslMode: "NONE"
@@ -95,7 +95,7 @@ global:
enabled: true enabled: true
hosts: hosts:
- variable: CASS_HOST - variable: CASS_HOST
hostname: cassandra-dc1-service.cassandra4.svc.cluster.local hostname: cassandra-dc1-service.cassandra.svc.cluster.local
username: cassandra username: cassandra
password: cassandra password: cassandra
keyspace: ks keyspace: ks
@@ -115,7 +115,7 @@ anm:
memory: "1Gi" memory: "1Gi"
cpu: "250m" cpu: "250m"
securityContext: securityContext:
runAsNonRoot: true #runAsNonRoot: true
route: route:
enabled: true enabled: true
targetPort: "{{ .Values.anm.service.ports.traffic.port }}" targetPort: "{{ .Values.anm.service.ports.traffic.port }}"
@@ -178,10 +178,10 @@ anm:
extraEnvVars: extraEnvVars:
- name: EMT_DEPLOYMENT_ENABLED - name: EMT_DEPLOYMENT_ENABLED
value: "true" value: "true"
- name: ACCEPT_GENERAL_CONDITIONS #- name: ACCEPT_GENERAL_CONDITIONS
value: "yes" # value: "yes"
- name: APIGW_LOG_OPENTRAFFIC_OUTPUT #- name: APIGW_LOG_OPENTRAFFIC_OUTPUT
value: "file" # value: "file"
- name: API_BUILDER_URL - name: API_BUILDER_URL
value: "https://axway-elk-apim4elastic-apibuilder4elastic.apim4elastic:8443" value: "https://axway-elk-apim4elastic-apibuilder4elastic.apim4elastic:8443"
@@ -201,7 +201,7 @@ apimgr:
memory: "0.5Gi" memory: "0.5Gi"
cpu: 0.5 cpu: 0.5
securityContext: securityContext:
runAsNonRoot: true # runAsNonRoot: true
route: route:
enabled: true enabled: true
annotations: annotations:
@@ -266,10 +266,10 @@ apimgr:
value: "10" value: "10"
- name: EMT_DEPLOYMENT_ENABLED - name: EMT_DEPLOYMENT_ENABLED
value: "true" value: "true"
- name: ACCEPT_GENERAL_CONDITIONS #- name: ACCEPT_GENERAL_CONDITIONS
value: "yes" # value: "yes"
- name: APIGW_LOG_OPENTRAFFIC_OUTPUT #- name: APIGW_LOG_OPENTRAFFIC_OUTPUT
value: "file" # value: "file"
license: license:
license.lic: | license.lic: |
FIPS=1 FIPS=1
@@ -316,7 +316,7 @@ apitraffic:
targetCPUUtilizationPercentage: 80 targetCPUUtilizationPercentage: 80
replicaCount: 1 replicaCount: 1
securityContext: securityContext:
runAsNonRoot: true #runAsNonRoot: true
oauth: oauth:
enabled: true enabled: true
type: ClusterIP type: ClusterIP
@@ -442,8 +442,8 @@ apitraffic:
value: /opt/Axway/apigateway/groups/topologylinks/emt-group-emt-service/trace value: /opt/Axway/apigateway/groups/topologylinks/emt-group-emt-service/trace
- name: EMT_TOPOLOGY_TTL - name: EMT_TOPOLOGY_TTL
value: "10" value: "10"
- name: APIGW_LOG_OPENTRAFFIC_OUTPUT #- name: APIGW_LOG_OPENTRAFFIC_OUTPUT
value: "file" # value: "file"
- name: EMT_DEPLOYMENT_ENABLED - name: EMT_DEPLOYMENT_ENABLED
value: "true" value: "true"
- name: ENV_SECRET_EXAMPLE - name: ENV_SECRET_EXAMPLE
@@ -451,8 +451,8 @@ apitraffic:
secretKeyRef: secretKeyRef:
name: apim-gateway-cassandra name: apim-gateway-cassandra
key: username key: username
- name: ACCEPT_GENERAL_CONDITIONS #- name: ACCEPT_GENERAL_CONDITIONS
value: "yes" # value: "yes"
license: license:
license.lic: | license.lic: |
FIPS=1 FIPS=1
@@ -572,7 +572,7 @@ apiportal:
# fsGroup: 1048 # fsGroup: 1048
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
runAsNonRoot: true #runAsNonRoot: true
aga: aga:
enabled: false enabled: false
@@ -619,16 +619,16 @@ aga:
# The name of the service account to use. # The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template # If not set and create is true, a name is generated using the fullname template
name: "" name: ""
extraEnvVars: extraEnvVars: {}
- name: ACCEPT_GENERAL_CONDITIONS # - name: ACCEPT_GENERAL_CONDITIONS
value: "yes" # value: "yes"
podAnnotations: {} podAnnotations: {}
podSecurityContext: {} podSecurityContext: {}
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
#NOTE readOnlyRootFilesystem should be left to false #NOTE readOnlyRootFilesystem should be left to false
# readOnlyRootFilesystem: false # readOnlyRootFilesystem: false
runAsNonRoot: true #runAsNonRoot: true
service: service:
type: ClusterIP type: ClusterIP
ports: ports:

16
values.yaml
View File

@@ -28,7 +28,7 @@ global:
drop: drop:
- ALL - ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsNonRoot: true #runAsNonRoot: true
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
updateStrategy: updateStrategy:
# RollingUpdate or Recreate # RollingUpdate or Recreate
@@ -240,7 +240,7 @@ global:
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsNonRoot: true #runAsNonRoot: true
serviceAccount: serviceAccount:
# Specifies whether a service account should be created # Specifies whether a service account should be created
create: true create: true
@@ -302,7 +302,7 @@ anm:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
# NOTE: readOnlyRootFilesystem should be left to false # NOTE: readOnlyRootFilesystem should be left to false
# readOnlyRootFilesystem: false # readOnlyRootFilesystem: false
runAsNonRoot: true #runAsNonRoot: true
service: service:
type: ClusterIP type: ClusterIP
ports: ports:
@@ -465,7 +465,7 @@ apimgr:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
# NOTE: readOnlyRootFilesystem should be left to false # NOTE: readOnlyRootFilesystem should be left to false
# readOnlyRootFilesystem: false # readOnlyRootFilesystem: false
runAsNonRoot: true #runAsNonRoot: true
service: service:
type: ClusterIP type: ClusterIP
ports: ports:
@@ -644,7 +644,7 @@ apitraffic:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
# NOTE: readOnlyRootFilesystem should be left to false # NOTE: readOnlyRootFilesystem should be left to false
# readOnlyRootFilesystem: false # readOnlyRootFilesystem: false
runAsNonRoot: true # runAsNonRoot: true
service: service:
type: ClusterIP type: ClusterIP
ports: ports:
@@ -841,7 +841,7 @@ aga:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
# NOTE: readOnlyRootFilesystem should be left to false # NOTE: readOnlyRootFilesystem should be left to false
# readOnlyRootFilesystem: false # readOnlyRootFilesystem: false
runAsNonRoot: true #runAsNonRoot: true
service: service:
type: ClusterIP type: ClusterIP
ports: ports:
@@ -1062,7 +1062,7 @@ apiportal:
# fsGroup: 1048 # fsGroup: 1048
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
runAsNonRoot: true #runAsNonRoot: true
# ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {} resources: {}
# limits: # limits:
@@ -1171,7 +1171,7 @@ tests:
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsNonRoot: true #runAsNonRoot: true
serviceAccount: serviceAccount:
# Specifies whether a service account should be created # Specifies whether a service account should be created
create: true create: true