mirror of
https://github.com/intel/intel-device-plugins-for-kubernetes.git
synced 2025-06-03 03:59:37 +00:00
fpga: run webhook container with user privileges
Modified deployment template and script to run admission controller webhook with user credentials.
This commit is contained in:
Ed Bartosh
parent
1b1206e39a
commit
368f34c76b
@ -36,4 +36,5 @@ RUN chmod a+x /go/bin/fpga_admissionwebhook \
|
||||
|
||||
FROM scratch as final
|
||||
COPY --from=builder /install_root /
|
||||
RUN groupadd -g 3210 fpga && useradd fpga -u 3210 -g 3210
|
||||
ENTRYPOINT ["/usr/local/bin/intel_fpga_admissionwebhook"]
|
||||
|
||||
@ -22,6 +22,9 @@ spec:
|
||||
- containerPort: 8443
|
||||
name: webhook-api
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: {uid}
|
||||
runAsGroup: {gid}
|
||||
readOnlyRootFilesystem: true
|
||||
args:
|
||||
- -tls-cert-file=/etc/webhook/certs/cert.pem
|
||||
|
||||
@ -3,6 +3,8 @@
|
||||
srcroot="$(realpath $(dirname $0)/..)"
|
||||
service="intel-fpga-webhook-svc"
|
||||
secret="intel-fpga-webhook-certs"
|
||||
uid="3210" # fpga user
|
||||
gid="3210" # fpga group
|
||||
|
||||
function help {
|
||||
echo "Usage: $1 <options> [help|cleanup]"
|
||||
@ -94,7 +96,7 @@ cat ${srcroot}/deployments/fpga_admissionwebhook/rbac-config-tpl.yaml | \
|
||||
${kubectl} create -f -
|
||||
|
||||
echo "Create webhook deployment"
|
||||
cat ${srcroot}/deployments/fpga_admissionwebhook/deployment-tpl.yaml | sed -e "s/{MODE}/${mode}/g" | ${kubectl} --namespace ${namespace} create -f -
|
||||
cat ${srcroot}/deployments/fpga_admissionwebhook/deployment-tpl.yaml | sed -e "s/{MODE}/${mode}/g" -e "s/{uid}/${uid}/g" -e "s/{gid}/${gid}/g" | ${kubectl} --namespace ${namespace} create -f -
|
||||
|
||||
echo "Create webhook service"
|
||||
${kubectl} --namespace ${namespace} create -f ${srcroot}/deployments/fpga_admissionwebhook/service.yaml
|
||||
|
||||
Loading…
Reference in New Issue
Block a user