b630433aa8
Per Azure best practice, disable a container's ability to escalate its privileges. https://docs.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security#secure-pod-access-to-resources
55 lines
1.7 KiB
YAML
55 lines
1.7 KiB
YAML
apiVersion: batch/v1beta1
|
|
kind: CronJob
|
|
metadata:
|
|
name: crls
|
|
namespace: atat
|
|
spec:
|
|
schedule: "0 * * * *"
|
|
concurrencyPolicy: Replace
|
|
successfulJobsHistoryLimit: 1
|
|
jobTemplate:
|
|
spec:
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: atst
|
|
role: crl-sync
|
|
aadpodidbinding: atat-kv-id-binding
|
|
spec:
|
|
restartPolicy: OnFailure
|
|
containers:
|
|
- name: crls
|
|
image: $CONTAINER_IMAGE
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
command: [
|
|
"/bin/sh", "-c"
|
|
]
|
|
args: [
|
|
"/opt/atat/atst/script/sync-crls",
|
|
]
|
|
envFrom:
|
|
- configMapRef:
|
|
name: atst-envvars
|
|
- configMapRef:
|
|
name: atst-worker-envvars
|
|
volumeMounts:
|
|
- name: crls-vol
|
|
mountPath: "/opt/atat/atst/crls"
|
|
- name: flask-secret
|
|
mountPath: "/config"
|
|
volumes:
|
|
- name: crls-vol
|
|
persistentVolumeClaim:
|
|
claimName: crls-vol-claim
|
|
- name: flask-secret
|
|
flexVolume:
|
|
driver: "azure/kv"
|
|
options:
|
|
usepodidentity: "true"
|
|
keyvaultname: "atat-vault-test"
|
|
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
|
|
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
|
|
keyvaultobjecttypes: "secret;secret;secret;secret;key"
|
|
tenantid: $TENANT_ID
|