evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

try non-root agent again

Evan Jarrett 4a74d0a3 5f008df8

+21 -9
+1 -1
Makefile
··· 3 3 # To re-generate a bundle for another specific version without changing the standard setup, you can: 4 4 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) 5 5 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) 6 - VERSION ?= 0.6.6 6 + VERSION ?= 0.6.13 7 7 8 8 # CHANNELS define the bundle channels used in the bundle. 9 9 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
+2 -2
helm/hsm-secrets-operator/Chart.yaml
··· 2 2 name: hsm-secrets-operator 3 3 description: A Kubernetes operator that bridges Pico HSM binary data storage with Kubernetes Secrets 4 4 type: application 5 - version: 0.6.6 6 - appVersion: v0.6.6 5 + version: 0.6.13 6 + appVersion: v0.6.13 7 7 icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/kubernetes/icon/color/kubernetes-icon-color.svg 8 8 home: https://github.com/evanjarrett/hsm-secrets-operator 9 9 sources:
+18 -6
internal/controller/hsmpool_agent_controller.go
··· 544 544 } 545 545 546 546 var replicas int32 = 1 547 - var rootUserId int64 = 0 547 + // var rootUserId int64 = 0 548 + var pcscdUserId int64 = 100 549 + var pcscdGroupId int64 = 101 548 550 falsePtr := new(bool) 549 551 *falsePtr = false 550 552 truePtr := new(bool) ··· 610 612 }, 611 613 }, 612 614 SecurityContext: &corev1.PodSecurityContext{ 613 - RunAsUser: &rootUserId, 614 - RunAsGroup: &rootUserId, 615 + RunAsUser: &pcscdUserId, 616 + RunAsGroup: &pcscdGroupId, 615 617 RunAsNonRoot: falsePtr, 616 618 }, 617 619 ServiceAccountName: r.ServiceAccountName, ··· 668 670 }, 669 671 }, 670 672 SecurityContext: &corev1.SecurityContext{ 671 - Privileged: truePtr, 673 + Privileged: falsePtr, 672 674 AllowPrivilegeEscalation: truePtr, 673 675 // Capabilities: &corev1.Capabilities{ 674 676 // Drop: []corev1.Capability{}, ··· 677 679 // }, 678 680 // }, 679 681 ReadOnlyRootFilesystem: falsePtr, 680 - RunAsNonRoot: falsePtr, 681 - RunAsUser: &rootUserId, 682 + RunAsNonRoot: truePtr, 683 + RunAsUser: &pcscdUserId, 682 684 }, 683 685 VolumeMounts: []corev1.VolumeMount{ 684 686 { ··· 688 690 { 689 691 Name: "hsm-device", 690 692 MountPath: "/dev/hsm", 693 + }, 694 + { 695 + Name: "pcscd-run", 696 + MountPath: "/var/run/pcscd", 691 697 }, 692 698 }, 693 699 }, ··· 706 712 Path: devicePath, 707 713 Type: &hostPath, 708 714 }, 715 + }, 716 + }, 717 + { 718 + Name: "pcscd-run", 719 + VolumeSource: corev1.VolumeSource{ 720 + EmptyDir: &corev1.EmptyDirVolumeSource{}, 709 721 }, 710 722 }, 711 723 },