github/intel-device-plugins-for-kubernetes
7
0
Fork 0
mirror of https://github.com/intel/intel-device-plugins-for-kubernetes.git synced 2025-06-03 03:59:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

fpga: run webhook container with user privileges

Browse Source 
Modified deployment template and script to run admission controller
webhook with user credentials.
This commit is contained in:
Ed Bartosh 2019-12-19 13:17:24 +02:00
parent 1b1206e39a
commit 368f34c76b
3 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
build/docker/intel-fpga-admissionwebhook.Dockerfile
View File

@ -36,4 +36,5 @@ RUN chmod a+x /go/bin/fpga_admissionwebhook \
FROM scratch as final FROM scratch as final
COPY --from=builder /install_root / COPY --from=builder /install_root /
RUN groupadd -g 3210 fpga && useradd fpga -u 3210 -g 3210
ENTRYPOINT ["/usr/local/bin/intel_fpga_admissionwebhook"] ENTRYPOINT ["/usr/local/bin/intel_fpga_admissionwebhook"]

3
deployments/fpga_admissionwebhook/deployment-tpl.yaml
View File

@ -22,6 +22,9 @@ spec:
- containerPort: 8443 - containerPort: 8443
name: webhook-api name: webhook-api
securityContext: securityContext:
runAsNonRoot: true
runAsUser: {uid}
runAsGroup: {gid}
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
args: args:
- -tls-cert-file=/etc/webhook/certs/cert.pem - -tls-cert-file=/etc/webhook/certs/cert.pem

4
scripts/webhook-deploy.sh
View File

@ -3,6 +3,8 @@
srcroot="$(realpath $(dirname $0)/..)" srcroot="$(realpath $(dirname $0)/..)"
service="intel-fpga-webhook-svc" service="intel-fpga-webhook-svc"
secret="intel-fpga-webhook-certs" secret="intel-fpga-webhook-certs"
uid="3210" # fpga user
gid="3210" # fpga group
function help { function help {
echo "Usage: $1 <options> [help|cleanup]" echo "Usage: $1 <options> [help|cleanup]"
@ -94,7 +96,7 @@ cat ${srcroot}/deployments/fpga_admissionwebhook/rbac-config-tpl.yaml | \
${kubectl} create -f - ${kubectl} create -f -
echo "Create webhook deployment" echo "Create webhook deployment"
cat ${srcroot}/deployments/fpga_admissionwebhook/deployment-tpl.yaml | sed -e "s/{MODE}/${mode}/g" | ${kubectl} --namespace ${namespace} create -f - cat ${srcroot}/deployments/fpga_admissionwebhook/deployment-tpl.yaml | sed -e "s/{MODE}/${mode}/g" -e "s/{uid}/${uid}/g" -e "s/{gid}/${gid}/g" | ${kubectl} --namespace ${namespace} create -f -
echo "Create webhook service" echo "Create webhook service"
${kubectl} --namespace ${namespace} create -f ${srcroot}/deployments/fpga_admissionwebhook/service.yaml ${kubectl} --namespace ${namespace} create -f ${srcroot}/deployments/fpga_admissionwebhook/service.yaml