Deploy Intranet SEC-5 non-root image to GX10
Pin localhost/fc-intranet-web:v20260617-sec5-intranet-1abdf90 and apply restricted pod/container security contexts plus writable /data, /tmp, and /app/logs mounts.
This commit is contained in:
Andrew Stoltz
@@ -49,13 +49,17 @@
|
|||||||
"name": "IntranetSearch__Enabled",
|
"name": "IntranetSearch__Enabled",
|
||||||
"value": "true"
|
"value": "true"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"name": "PageReadingOverrides__DatabasePath",
|
"name": "PageReadingOverrides__DatabasePath",
|
||||||
"value": "/data/page-reading-overrides.db"
|
"value": "/data/page-reading-overrides.db"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"name": "KnowledgeFleetSearch__BaseUrl",
|
"name": "FlowerCore__Theme__DatabasePath",
|
||||||
"value": "https://knowledge.iamworkin.lan"
|
"value": "/data/intranet-theme.db"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "KnowledgeFleetSearch__BaseUrl",
|
||||||
|
"value": "https://knowledge.iamworkin.lan"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"name": "KnowledgeFleetSearch__ApiKey",
|
"name": "KnowledgeFleetSearch__ApiKey",
|
||||||
@@ -78,9 +82,18 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"image": "localhost/fc-intranet-web:gx10-v1",
|
"image": "localhost/fc-intranet-web:v20260617-sec5-intranet-1abdf90",
|
||||||
"imagePullPolicy": "Never",
|
"imagePullPolicy": "Never",
|
||||||
"livenessProbe": {
|
"securityContext": {
|
||||||
|
"allowPrivilegeEscalation": false,
|
||||||
|
"capabilities": {
|
||||||
|
"drop": [
|
||||||
|
"ALL"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"readOnlyRootFilesystem": true
|
||||||
|
},
|
||||||
|
"livenessProbe": {
|
||||||
"failureThreshold": 3,
|
"failureThreshold": 3,
|
||||||
"httpGet": {
|
"httpGet": {
|
||||||
"path": "/health",
|
"path": "/health",
|
||||||
@@ -129,19 +142,33 @@
|
|||||||
"mountPath": "/data",
|
"mountPath": "/data",
|
||||||
"name": "vector-store"
|
"name": "vector-store"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"mountPath": "/srv/flowercore-notes",
|
"mountPath": "/srv/flowercore-notes",
|
||||||
"name": "notes-corpus",
|
"name": "notes-corpus",
|
||||||
"readOnly": true
|
"readOnly": true
|
||||||
}
|
},
|
||||||
]
|
{
|
||||||
|
"mountPath": "/tmp",
|
||||||
|
"name": "temp"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"mountPath": "/app/logs",
|
||||||
|
"name": "logs"
|
||||||
|
}
|
||||||
|
]
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"dnsPolicy": "ClusterFirst",
|
"dnsPolicy": "ClusterFirst",
|
||||||
"restartPolicy": "Always",
|
"restartPolicy": "Always",
|
||||||
"schedulerName": "default-scheduler",
|
"schedulerName": "default-scheduler",
|
||||||
"securityContext": {},
|
"securityContext": {
|
||||||
"terminationGracePeriodSeconds": 30,
|
"fsGroup": 1654,
|
||||||
|
"fsGroupChangePolicy": "OnRootMismatch",
|
||||||
|
"runAsGroup": 1654,
|
||||||
|
"runAsNonRoot": true,
|
||||||
|
"runAsUser": 1654
|
||||||
|
},
|
||||||
|
"terminationGracePeriodSeconds": 30,
|
||||||
"volumes": [
|
"volumes": [
|
||||||
{
|
{
|
||||||
"name": "vector-store",
|
"name": "vector-store",
|
||||||
@@ -149,11 +176,19 @@
|
|||||||
"claimName": "intranet-vector-store"
|
"claimName": "intranet-vector-store"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"emptyDir": {},
|
"emptyDir": {},
|
||||||
"name": "notes-corpus"
|
"name": "notes-corpus"
|
||||||
}
|
},
|
||||||
]
|
{
|
||||||
|
"emptyDir": {},
|
||||||
|
"name": "temp"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"emptyDir": {},
|
||||||
|
"name": "logs"
|
||||||
|
}
|
||||||
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user