Optionally lock down package server runtime environment

javanthropus · javanthropus · commit 53aacbdf304d · 2020-03-14T10:18:26.000-04:00
* Run as non-root by default
* Mount a emptyDir volume to /tmp so that the root filesystem can be read-only
diff --git a/deploy/chart/templates/_packageserver.deployment-spec.yaml b/deploy/chart/templates/_packageserver.deployment-spec.yaml
@@ -60,5 +60,15 @@ spec:
         {{- if .Values.package.resources }}
         resources:
 {{ toYaml .Values.package.resources | indent 10 }}
-        {{- end}}
+        {{- end }}
+        {{- if .Values.package.securityContext }}
+        securityContext:
+          runAsUser: {{ .Values.package.securityContext.runAsUser }}
+        {{- end }}
+        volumeMounts:
+        - name: tmpfs
+          mountPath: /tmp
+      volumes:
+      - name: tmpfs
+        emptyDir: {}
 {{- end -}}
diff --git a/deploy/upstream/values.yaml b/deploy/upstream/values.yaml
@@ -27,5 +27,7 @@ package:
     pullPolicy: Always
   service:
     internalPort: 5443
+  securityContext:
+    runAsUser: 1000
 catalog_sources:
 - rh-operators
