fix(minecraft): testing rootless stuff

2026-01-27 18:18:26 +00:00 · 2023-10-08 22:21:28 +08:00
parent 64772bb95a
commit e2002af2ea
1 changed files with 22 additions and 22 deletions
--- a/kube/deploy/apps/minecraft/app/hr.yaml
+++ b/kube/deploy/apps/minecraft/app/hr.yaml
@@ -91,7 +91,7 @@ spec:
                  exec: *probeexec
            securityContext:
              readOnlyRootFilesystem: true
-              allowPrivilegeEscalation: false
+              allowPrivilegeEscalation: true
              capabilities:
                drop: ["ALL"]
                add: ["NET_RAW", "SETUID", "SETGID", "DAC_READ_SEARCH", "AUDIT_WRITE"] # used for autopause, Cilium claims it's safe to use without kube-proxy: https://cilium.io/blog/2020/12/11/kube-proxy-free-cve-mitigation/
@@ -118,17 +118,17 @@ spec:
              globalMounts:
                - path: "/data"
                  readOnly: false
-        # initContainers:
-        #   01-knockd-cp: &init
-        #     command: ["/usr/bin/cp", "/usr/local/sbin/knockd", "/knockd/knockd"]
-        #     # image: "{{ .Values.controllers.main.containers.main.image.repository }}:{{ .Values.controllers.main.containers.main.image.tag }}"
-        #     image: *image
-        #     imagePullPolicy: IfNotPresent
-        #   02-knockd-add-caps:
-        #     <<: *init
-        #     command: ["/usr/sbin/setcap", "cap_net_raw=ep", "/knockd/knockd"]
-        #     securityContext:
-        #       runAsUser: 0
+        initContainers:
+          01-knockd-cp: &init
+            command: ["/usr/bin/cp", "/usr/local/sbin/knockd", "/knockd/knockd"]
+            # image: "{{ .Values.controllers.main.containers.main.image.repository }}:{{ .Values.controllers.main.containers.main.image.tag }}"
+            image: *image
+            imagePullPolicy: IfNotPresent
+          02-knockd-add-caps:
+            <<: *init
+            command: ["/usr/sbin/setcap", "cap_net_raw=ep", "/knockd/knockd"]
+            securityContext:
+              runAsUser: 0
    service:
      main:
        enabled: true
@@ -154,7 +154,7 @@ spec:
        # runAsUser: &uid ${APP_UID_MINECRAFT}
        runAsGroup: *uid
        fsGroup: *uid
-        runAsNonRoot: true
+        runAsNonRoot: false
        seccompProfile: {type: "RuntimeDefault"}
        fsGroupChangePolicy: "Always"
    persistence:
@@ -165,12 +165,12 @@ spec:
        globalMounts:
          - path: /tmp
            readOnly: false
-      # knockd:
-      #   enabled: true
-      #   type: emptyDir
-      #   medium: Memory
-      #   advancedMounts:
-      #     main:
-      #       main: [{path: "/usr/local/sbin"}] # janky gamble, given that knockd is the only thing installed at this path as of 2023-10-08
-      #       01-knockd-cp: [{path: "/knockd"}]
-      #       02-knockd-add-caps: [{path: "/knockd"}]
+      knockd:
+        enabled: true
+        type: emptyDir
+        medium: Memory
+        advancedMounts:
+          main:
+            main: [{path: "/usr/local/sbin"}] # janky gamble, given that knockd is the only thing installed at this path as of 2023-10-08
+            01-knockd-cp: [{path: "/knockd"}]
+            02-knockd-add-caps: [{path: "/knockd"}]