diff --git a/apps/telephony/telephony.yaml b/apps/telephony/telephony.yaml index 02d508a..05c175e 100644 --- a/apps/telephony/telephony.yaml +++ b/apps/telephony/telephony.yaml @@ -118,16 +118,25 @@ spec: app: telephony-web spec: securityContext: + runAsNonRoot: true + runAsUser: 1654 + runAsGroup: 1654 fsGroup: 1654 nodeSelector: kubernetes.io/hostname: rke2-agent1 initContainers: - name: fix-data-perms image: busybox:latest - command: ["sh", "-c", "chown -R 1654:1654 /data"] + # Also chown /shared-tts (hostPath /tmp/tts-audio) so the non-root + # app user (uid 1654) can write Piper .sln16 files that Asterisk + # reads at /var/lib/asterisk/sounds/tts. World-readable (755) is + # fine — Asterisk runs as a different uid in the other pod. + command: ["sh", "-c", "chown -R 1654:1654 /data && chown 1654:1654 /shared-tts && chmod 0755 /shared-tts"] volumeMounts: - name: telephony-data mountPath: /data + - name: shared-tts + mountPath: /shared-tts hostNetwork: true dnsPolicy: ClusterFirstWithHostNet affinity: @@ -141,6 +150,11 @@ spec: - name: telephony-web image: localhost/fc-telephony-web:v20260325d imagePullPolicy: Never + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] ports: - containerPort: 5100 name: http @@ -170,6 +184,10 @@ spec: readOnly: true - name: telephony-data mountPath: /data + - name: tmp + mountPath: /tmp + - name: logs + mountPath: /app/logs # Shared TTS audio — we write Piper .sln16 output here; Asterisk # pod reads the same hostPath at /var/lib/asterisk/sounds/tts and # plays via `sound:tts/`. Both pods are pinned to rke2-agent1. @@ -201,6 +219,10 @@ spec: - name: telephony-data persistentVolumeClaim: claimName: telephony-data + - name: tmp + emptyDir: {} + - name: logs + emptyDir: {} - name: shared-tts hostPath: path: /tmp/tts-audio