@@ -34,7 +34,8 @@ const createNameSpaceForTeam = async (team) => {
3434 } ,
3535 labels : {
3636 name : `t-${ team } ,
37- 'pod-security.kubernetes.io/enforce' : 'restricted' ,
37+ 'pod-security.kubernetes.io/audit' : 'restricted' ,
38+ 'pod-security.kubernetes.io/enforce' : 'baseline' ,
3839 } ,
3940 } ;
4041 k8sCoreApi . createNamespace ( namedNameSpace ) . catch ( ( error ) => {
@@ -1073,11 +1074,11 @@ const createDesktopDeploymentForTeam = async ({ team, passcodeHash }) => {
10731074 } ,
10741075 spec : {
10751076 serviceAccountName : 'webtop-sa' ,
1076- securityContext : {
1077- runAsUser : 1000 ,
1078- runAsGroup : 1000 ,
1079- fsGroup : 1000 ,
1080- } ,
1077+ // securityContext: {
1078+ // runAsUser: 1000,
1079+ // runAsGroup: 1000,
1080+ // fsGroup: 1000,
1081+ // },
10811082 containers : [
10821083 {
10831084 name : 'virtualdesktop' ,
@@ -1098,10 +1099,10 @@ const createDesktopDeploymentForTeam = async ({ team, passcodeHash }) => {
10981099 } ,
10991100 // resources: get('virtualdesktop.resources'),
11001101 securityContext : {
1101- allowPrivilegeEscalation : false ,
1102- readOnlyRootFilesystem : true ,
1103- runAsNonRoot : true ,
1104- capabilities : { drop : [ 'ALL' ] } ,
1102+ allowPrivilegeEscalation : true ,
1103+ readOnlyRootFilesystem : false ,
1104+ runAsNonRoot : false ,
1105+ capabilities : { drop : [ 'ALL' ] , add : [ 'CAP_SETGID' , 'CAP_SETUID' , 'CAP_CHOWN' ] } ,
11051106 seccompProfile : { type : 'RuntimeDefault' } ,
11061107 } ,
11071108 env : [ ...get ( 'virtualdesktop.env' , [ ] ) ] ,
@@ -1140,7 +1141,7 @@ const createDesktopDeploymentForTeam = async ({ team, passcodeHash }) => {
11401141 {
11411142 emptyDir : {
11421143 medium : 'Memory' ,
1143- sizeLimit : '128Mi ' ,
1144+ sizeLimit : '200Mi ' ,
11441145 } ,
11451146 name : 'config-fs' ,
11461147 } ,
0 commit comments