precreate tmp folders in nginx container
Some checks failed
Podman Rootless Demo / test-backend (push) Has been skipped
Podman Rootless Demo / test-frontend (push) Has been skipped
Podman Rootless Demo / build-backend (push) Has been skipped
Podman Rootless Demo / build-frontend (push) Has been skipped
Podman Rootless Demo / deploy-prod (push) Failing after 1m10s
Some checks failed
Podman Rootless Demo / test-backend (push) Has been skipped
Podman Rootless Demo / test-frontend (push) Has been skipped
Podman Rootless Demo / build-backend (push) Has been skipped
Podman Rootless Demo / build-frontend (push) Has been skipped
Podman Rootless Demo / deploy-prod (push) Failing after 1m10s
This commit is contained in:
parent
f1ede67eba
commit
78966329e3
1 changed files with 16 additions and 4 deletions
|
|
@ -144,22 +144,31 @@ spec:
|
||||||
|
|
||||||
- name: nginx
|
- name: nginx
|
||||||
image: docker.io/nginx:alpine
|
image: docker.io/nginx:alpine
|
||||||
|
command: ["/bin/sh"]
|
||||||
|
args:
|
||||||
|
- "-c"
|
||||||
|
- |
|
||||||
|
mkdir -p /tmp/client_temp /tmp/proxy_temp /tmp/fastcgi_temp /tmp/uwsgi_temp /tmp/scgi_temp;
|
||||||
|
chmod 777 /tmp/client_temp /tmp/proxy_temp /tmp/fastcgi_temp /tmp/uwsgi_temp /tmp/scgi_temp;
|
||||||
|
exec nginx -g 'daemon off;'
|
||||||
# Security: drop all capabilities, read-only root filesystem
|
# Security: drop all capabilities, read-only root filesystem
|
||||||
securityContext:
|
securityContext:
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
allowPrivilegeEscalation: false
|
allowPrivilegeEscalation: false
|
||||||
capabilities:
|
capabilities:
|
||||||
drop: ["ALL"]
|
drop: ["ALL"]
|
||||||
runAsUser: 0 # Run as root
|
runAsNonRoot: true
|
||||||
runAsGroup: 0 # Run as root group
|
runAsUser: 1000
|
||||||
|
runAsGroup: 1000
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 8080 # inside pod
|
- containerPort: 8080 # inside pod
|
||||||
hostIP: 127.0.0.1 # only loopback on host
|
|
||||||
- containerPort: 8090 # health inside pod (not exposed)
|
- containerPort: 8090 # health inside pod (not exposed)
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- { name: nginx-run, mountPath: /var/run, readOnly: false }
|
- { name: nginx-run, mountPath: /var/run, readOnly: false }
|
||||||
- { name: nginx-cache, mountPath: /var/cache/nginx, readOnly: false }
|
- { name: nginx-cache, mountPath: /var/cache/nginx, readOnly: false }
|
||||||
- { name: nginx-conf, mountPath: /etc/nginx/nginx.conf, readOnly: true, subPath: nginx.conf }
|
- { name: nginx-conf, mountPath: /etc/nginx/nginx.conf, readOnly: true, subPath: nginx.conf }
|
||||||
|
- name: nginx-tmp
|
||||||
|
mountPath: /tmp
|
||||||
# Health check
|
# Health check
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
httpGet: { path: /healthz, port: 8090, scheme: HTTP }
|
httpGet: { path: /healthz, port: 8090, scheme: HTTP }
|
||||||
|
|
@ -192,3 +201,6 @@ spec:
|
||||||
hostPath: { path: /opt/sharenet/volumes/nginx-cache, type: DirectoryOrCreate }
|
hostPath: { path: /opt/sharenet/volumes/nginx-cache, type: DirectoryOrCreate }
|
||||||
- name: nginx-conf
|
- name: nginx-conf
|
||||||
hostPath: { path: /opt/sharenet/nginx, type: Directory }
|
hostPath: { path: /opt/sharenet/nginx, type: Directory }
|
||||||
|
- name: nginx-tmp
|
||||||
|
emptyDir:
|
||||||
|
medium: Memory # Uses tmpfs for better performance
|
||||||
Loading…
Add table
Reference in a new issue