From 6fb5ef88fbd1907b904f7ddc8f4a4fbbc0f2955f Mon Sep 17 00:00:00 2001 From: Stavros kois Date: Tue, 13 Sep 2022 09:39:23 +0300 Subject: [PATCH] change run user when userspace is not checked --- .../templates/addons/vpn/tailscale/_container.tpl | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/charts/common/templates/addons/vpn/tailscale/_container.tpl b/charts/common/templates/addons/vpn/tailscale/_container.tpl index c4fa4f72..409eb4ff 100644 --- a/charts/common/templates/addons/vpn/tailscale/_container.tpl +++ b/charts/common/templates/addons/vpn/tailscale/_container.tpl @@ -11,14 +11,23 @@ command: ["ash", "/tailscale/run.sh"] tty: true -# It should run rootless. But needs test securityContext: +{{- if .Values.addons.vpn.tailscale.userspace }} runAsUser: 1000 runAsGroup: 1000 + runAsNonRoot: true + readOnlyRootFilesystem: true +{{- else }} + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false +{{- end }} capabilities: add: - NET_ADMIN + envFrom: - secretRef: name: {{ $secretName }}