*: Use non-root
This commit is contained in:
Frederic Branczyk
15
grafana-image/Dockerfile
Normal file
15
grafana-image/Dockerfile
Normal file
@@ -0,0 +1,15 @@
|
|||||||
|
FROM debian:9.3-slim
|
||||||
|
|
||||||
|
RUN apt-get update && apt-get install -qq -y wget tar sqlite && \
|
||||||
|
wget -O /tmp/grafana.tar.gz https://s3-us-west-2.amazonaws.com/grafana-releases/release/grafana-4.6.3.linux-x64.tar.gz && \
|
||||||
|
tar -zxvf /tmp/grafana.tar.gz -C /tmp && mv /tmp/grafana-4.6.3 /grafana && \
|
||||||
|
rm -rf /tmp/grafana.tar.gz
|
||||||
|
|
||||||
|
ADD config.toml /grafana/conf/config.toml
|
||||||
|
|
||||||
|
USER nobody
|
||||||
|
EXPOSE 3000
|
||||||
|
VOLUME [ "/data" ]
|
||||||
|
WORKDIR /grafana
|
||||||
|
ENTRYPOINT [ "/grafana/bin/grafana-server" ]
|
||||||
|
CMD [ "-config=/grafana/conf/config.toml" ]
|
||||||
2
grafana-image/Makefile
Normal file
2
grafana-image/Makefile
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
container:
|
||||||
|
docker build . -t quay.io/coreos/monitoring-grafana:4.6.3-non-root
|
||||||
2
grafana-image/config.toml
Normal file
2
grafana-image/config.toml
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
[database]
|
||||||
|
path = /data/grafana.db
|
||||||
@@ -9,9 +9,12 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
app: grafana
|
app: grafana
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 65534
|
||||||
containers:
|
containers:
|
||||||
- name: grafana
|
- name: grafana
|
||||||
image: grafana/grafana:4.6.3
|
image: quay.io/coreos/monitoring-grafana:4.6.3-non-root
|
||||||
env:
|
env:
|
||||||
- name: GF_AUTH_BASIC_ENABLED
|
- name: GF_AUTH_BASIC_ENABLED
|
||||||
value: "true"
|
value: "true"
|
||||||
@@ -29,7 +32,7 @@ spec:
|
|||||||
key: password
|
key: password
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: grafana-storage
|
- name: grafana-storage
|
||||||
mountPath: /var/grafana-storage
|
mountPath: /data
|
||||||
ports:
|
ports:
|
||||||
- name: web
|
- name: web
|
||||||
containerPort: 3000
|
containerPort: 3000
|
||||||
|
|||||||
@@ -9,9 +9,12 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
app: grafana
|
app: grafana
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 65534
|
||||||
containers:
|
containers:
|
||||||
- name: grafana
|
- name: grafana
|
||||||
image: grafana/grafana:4.6.3
|
image: quay.io/coreos/monitoring-grafana:4.6.3-non-root
|
||||||
env:
|
env:
|
||||||
- name: GF_AUTH_BASIC_ENABLED
|
- name: GF_AUTH_BASIC_ENABLED
|
||||||
value: "true"
|
value: "true"
|
||||||
@@ -29,7 +32,7 @@ spec:
|
|||||||
key: password
|
key: password
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: grafana-storage
|
- name: grafana-storage
|
||||||
mountPath: /var/grafana-storage
|
mountPath: /data
|
||||||
ports:
|
ports:
|
||||||
- name: web
|
- name: web
|
||||||
containerPort: 3000
|
containerPort: 3000
|
||||||
|
|||||||
@@ -14,6 +14,9 @@ spec:
|
|||||||
name: node-exporter
|
name: node-exporter
|
||||||
spec:
|
spec:
|
||||||
serviceAccountName: node-exporter
|
serviceAccountName: node-exporter
|
||||||
|
securityContext:
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 65534
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
hostPID: true
|
hostPID: true
|
||||||
containers:
|
containers:
|
||||||
|
|||||||
Reference in New Issue
Block a user