b630433aa8
Per Azure best practice, disable a container's ability to escalate its privileges. https://docs.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security#secure-pod-access-to-resources
62 lines
1.8 KiB
YAML
62 lines
1.8 KiB
YAML
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: migration
|
|
namespace: $K8S_NAMESPACE
|
|
spec:
|
|
ttlSecondsAfterFinished: 100
|
|
backoffLimit: 2
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: atst
|
|
role: migration
|
|
aadpodidbinding: atat-kv-id-binding
|
|
spec:
|
|
containers:
|
|
- name: migration
|
|
image: $CONTAINER_IMAGE
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
command: [
|
|
"/bin/sh", "-c"
|
|
]
|
|
args:
|
|
- |
|
|
/opt/atat/atst/.venv/bin/python \
|
|
/opt/atat/atst/.venv/bin/alembic \
|
|
upgrade head \
|
|
&& \
|
|
/opt/atat/atst/.venv/bin/python \
|
|
/opt/atat/atst/script/seed_roles.py
|
|
envFrom:
|
|
- configMapRef:
|
|
name: atst-envvars
|
|
- configMapRef:
|
|
name: atst-worker-envvars
|
|
volumeMounts:
|
|
- name: pgsslrootcert
|
|
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
|
|
subPath: pgsslrootcert.crt
|
|
- name: flask-secret
|
|
mountPath: "/config"
|
|
volumes:
|
|
- name: pgsslrootcert
|
|
configMap:
|
|
name: pgsslrootcert
|
|
items:
|
|
- key: cert
|
|
path: pgsslrootcert.crt
|
|
mode: 0666
|
|
- name: flask-secret
|
|
flexVolume:
|
|
driver: "azure/kv"
|
|
options:
|
|
usepodidentity: "true"
|
|
keyvaultname: "atat-vault-test"
|
|
keyvaultobjectnames: "master-AZURE-STORAGE-KEY;master-MAIL-PASSWORD;master-PGPASSWORD;master-REDIS-PASSWORD;master-SECRET-KEY"
|
|
keyvaultobjectaliases: "AZURE_STORAGE_KEY;MAIL_PASSWORD;PGPASSWORD;REDIS_PASSWORD;SECRET_KEY"
|
|
keyvaultobjecttypes: "secret;secret;secret;secret;key"
|
|
tenantid: $TENANT_ID
|
|
restartPolicy: Never
|