-
-
Save jujhars13/1e99cf110e5df39d4ae3c7fef81589f8 to your computer and use it in GitHub Desktop.
| apiVersion: v1 | |
| kind: Namespace | |
| metadata: | |
| name: sftp | |
| --- | |
| kind: Service | |
| apiVersion: v1 | |
| metadata: | |
| name: sftp | |
| namespace: sftp | |
| labels: | |
| environment: production | |
| spec: | |
| type: "LoadBalancer" | |
| ports: | |
| - name: "ssh" | |
| port: 22 | |
| targetPort: 22 | |
| selector: | |
| app: sftp | |
| status: | |
| loadBalancer: {} | |
| --- | |
| kind: Deployment | |
| apiVersion: extensions/v1beta1 | |
| metadata: | |
| name: sftp | |
| namespace: sftp | |
| labels: | |
| environment: environment: production | |
| app: sftp | |
| spec: | |
| # how many pods and indicate which strategy we want for rolling update | |
| replicas: 1 | |
| minReadySeconds: 10 | |
| template: | |
| metadata: | |
| labels: | |
| environment: production | |
| app: sftp | |
| annotations: | |
| container.apparmor.security.beta.kubernetes.io/sftp: runtime/default | |
| spec: | |
| #secrets and config | |
| volumes: | |
| - name: sftp-public-keys | |
| configMap: | |
| name: sftp-public-keys | |
| containers: | |
| #the sftp server itself | |
| - name: sftp | |
| image: atmoz/sftp:latest | |
| imagePullPolicy: Always | |
| env: | |
| # - name: PASSWORD | |
| # valueFrom: | |
| # secretKeyRef: | |
| # name: sftp-server-sec | |
| # key: password | |
| args: ["myUser::1001:100:incoming,outgoing"] #create users and dirs | |
| ports: | |
| - containerPort: 22 | |
| volumeMounts: | |
| - mountPath: /home/myUser/.ssh/keys | |
| name: sftp-public-keys | |
| readOnly: true | |
| securityContext: | |
| capabilities: | |
| add: ["SYS_ADMIN"] | |
| resources: {} |
Is it possible to get some help with the tweaks you made to get it working on openshift?
@afshinyavari Sure. You'll basically have to create a service account and grant it anyuid SCC to bypass the default security constraints in OpenShift. You can run the below commands as admin to achieve the same: -
$ oc create serviceaccount sftp-sa
$ oc adm policy add-scc-to-user anyuid -z sftp-sa
Use the created service account in your deployment. In addition, you will also need to configure the security context for the container. Here's the snippet:-
spec:
serviceAccountName: sftp-sa
containers:
securityContext:
privileged: true
@afshinyavari Also, I found this project which is compatible with OpenShift https://github.com/drakkan/sftpgo
I did not find time to deploy this but please feel free to explore it, since it is openshift compatible out-of-the-box and offers better features too. Let me know if you're able to deploy this successfully, in case you decide to choose this one over atmoz-sftp
yea, sftpgo indeed is an interesting project! Do share the manifests if you decide to give it a shot :)
sftpgo is all fine, sadly until you actually need a debug - drakkan/sftpgo#1412
That makes sense. Thanks for the explanation @ToMe25
Also, these lines from the documentation pretty much confirms that