Skip to content

Commit 39ab8b1

Browse files
corocoro
authored
Use RabbitMQ user for init container instead of root (#731)
1 parent 032d28a commit 39ab8b1

File tree

2 files changed

+5
-33
lines changed

2 files changed

+5
-33
lines changed

internal/resource/statefulset.go

Lines changed: 2 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -540,23 +540,8 @@ func (builder *StatefulSetBuilder) podTemplateSpec(previousPodAnnotations map[st
540540
Name: "setup-container",
541541
Image: builder.Instance.Spec.Image,
542542
SecurityContext: &corev1.SecurityContext{
543-
RunAsUser: pointer.Int64Ptr(0),
544-
Capabilities: &corev1.Capabilities{
545-
// drop default set from Docker except for CHOWN, FOWNER, and DAC_OVERRIDE
546-
Drop: []corev1.Capability{
547-
"FSETID",
548-
"KILL",
549-
"SETGID",
550-
"SETUID",
551-
"SETPCAP",
552-
"NET_BIND_SERVICE",
553-
"NET_RAW",
554-
"SYS_CHROOT",
555-
"MKNOD",
556-
"AUDIT_WRITE",
557-
"SETFCAP",
558-
},
559-
},
543+
RunAsGroup: &rabbitmqGID,
544+
RunAsUser: &rabbitmqUID,
560545
},
561546
Command: []string{
562547
"sh", "-c", "cp /tmp/erlang-cookie-secret/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie " +

internal/resource/statefulset_test.go

Lines changed: 3 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1217,26 +1217,13 @@ var _ = Describe("StatefulSet", func() {
12171217
initContainers := statefulSet.Spec.Template.Spec.InitContainers
12181218
Expect(initContainers).To(HaveLen(1))
12191219

1220+
rmqGID, rmqUID := int64(999), int64(999)
12201221
initContainer := extractContainer(initContainers, "setup-container")
12211222
Expect(initContainer).To(MatchFields(IgnoreExtras, Fields{
12221223
"Image": Equal("rabbitmq-image-from-cr"),
12231224
"SecurityContext": PointTo(MatchFields(IgnoreExtras, Fields{
1224-
"Capabilities": PointTo(MatchAllFields(Fields{
1225-
"Drop": ConsistOf([]corev1.Capability{
1226-
"FSETID",
1227-
"KILL",
1228-
"SETGID",
1229-
"SETUID",
1230-
"SETPCAP",
1231-
"NET_BIND_SERVICE",
1232-
"NET_RAW",
1233-
"SYS_CHROOT",
1234-
"MKNOD",
1235-
"AUDIT_WRITE",
1236-
"SETFCAP",
1237-
}),
1238-
"Add": BeEmpty(),
1239-
})),
1225+
"RunAsUser": Equal(&rmqUID),
1226+
"RunAsGroup": Equal(&rmqGID),
12401227
})),
12411228
"Command": ConsistOf(
12421229
"sh", "-c", "cp /tmp/erlang-cookie-secret/.erlang.cookie /var/lib/rabbitmq/.erlang.cookie "+

0 commit comments

Comments
 (0)