gitea: Switch to rootless image

2023-08-15 08:08:46 +03:00
parent ca4ded3d0d
commit 46677df2a3
1 changed files with 19 additions and 4 deletions
--- a/gitea/application.yaml
+++ b/gitea/application.yaml
@@ -71,9 +71,16 @@ spec:
        app.kubernetes.io/name: gitea
    spec:
      enableServiceLinks: false
+      securityContext:
+        fsGroup: 1000
+        runAsUser: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
      containers:
        - name: gitea
-          image: gitea/gitea:1.20.2
+          image: gitea/gitea:1.20.2-rootless
+          securityContext:
+            readOnlyRootFilesystem: true
          env:
            - name: GITEA__ADMIN__DISABLE_REGULAR_ORG_CREATION
              value: "true"
@@ -85,8 +92,8 @@ spec:
              value: "/cert/tls.crt"
            - name: GITEA__SERVER__KEY_FILE
              value: "/cert/tls.key"
-            - name: GITEA__SERVER__SSH_LISTEN_PORT
-              value: "2222"
+            - name: GITEA__SERVER__SSH_PORT
+              value: "22"
            - name: GITEA__SERVER__PROTOCOL
              value: https
            - name: GITEA__SERVER__REDIRECT_OTHER_PORT
@@ -174,11 +181,19 @@ spec:
            - containerPort: 2222
              name: ssh
          volumeMounts:
+            - mountPath: /tmp
+              name: tmp
+            - mountPath: /etc/gitea
+              name: etc
            - mountPath: /cert
              name: cert
-            - mountPath: /data
+            - mountPath: /var/lib/gitea
              name: data
      volumes:
+        - name: tmp
+          emptyDir: {}
+        - name: etc
+          emptyDir: {}
        - name: cert
          secret:
            secretName: git-tls