Created
September 27, 2020 21:25
-
-
Save tvvignesh/46433362548d4117815e8ba29d329da6 to your computer and use it in GitHub Desktop.
Ambassador NonRoot error
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# Manually set metadata for the Release. | |
# | |
# Defaults to .Chart.Name | |
nameOverride: "" | |
# Defaults to .Release.Name-.Chart.Name unless .Release.Name contains "ambassador" | |
fullnameOverride: "" | |
# Defaults to .Release.Namespace | |
namespaceOverride: "" | |
replicaCount: 3 | |
daemonSet: false | |
# This will enable the test-ready Pod (https://github.com/datawire/ambassador-chart/blob/master/templates/tests/test-ready.yaml). | |
# It will spawn a busybox container to call Ambassador's check_ready endpoint to validate it is working correctly. | |
test: | |
enabled: true | |
image: busybox | |
# Enable autoscaling using HorizontalPodAutoscaler | |
# daemonSet: true, autoscaling will be disabled | |
autoscaling: | |
enabled: true | |
minReplicas: 2 | |
maxReplicas: 5 | |
metrics: | |
- type: Resource | |
resource: | |
name: cpu | |
target: | |
type: Utilization | |
averageUtilization: 60 | |
- type: Resource | |
resource: | |
name: memory | |
target: | |
type: Utilization | |
averageUtilization: 60 | |
podDisruptionBudget: {} | |
# namespace: | |
# name: default | |
# Additional container environment variable | |
# Uncomment or add additional environment variables for the container here. | |
env: {} | |
# Exposing statistics via StatsD | |
# STATSD_ENABLED: true | |
# STATSD_HOST: statsd-sink | |
# sets the minimum number of seconds between Envoy restarts | |
# AMBASSADOR_RESTART_TIME: 15 | |
# sets the number of seconds that the Envoy will wait for open connections to drain on a restart | |
# AMBASSADOR_DRAIN_TIME: 5 | |
# sets the number of seconds that Ambassador will wait for the old Envoy to clean up and exit on a restart | |
# AMBASSADOR_SHUTDOWN_TIME: 10 | |
# labels Ambassador with an ID to allow for configuring multiple Ambassadors in a cluster | |
# AMBASSADOR_ID: default | |
# Additional container environment variable in raw YAML format | |
# Uncomment or add additional environment variables for the container here. | |
envRaw: {} | |
# - name: REDIS_PASSWORD | |
# value: password | |
# valueFrom: | |
# secretKeyRef: | |
# name: redis-password | |
# key: password | |
# - name: POD_IP | |
# valueFrom: | |
# fieldRef: | |
# fieldPath: status.podIP | |
imagePullSecrets: [] | |
security: | |
# Security Context for all containers in the pod. | |
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#podsecuritycontext-v1-core | |
podSecurityContext: | |
runAsUser: 8888 | |
# Security Context for the Ambassador container specifically | |
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#securitycontext-v1-core | |
containerSecurityContext: | |
allowPrivilegeEscalation: false | |
# A basic PodSecurityPolicy to ensure Ambassador is running with appropriate security permissions | |
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ | |
# | |
# A set of reasonable defaults is outlined below. This is not created by default as it should only | |
# be created by a one Release. If you want to use the PodSecurityPolicy in the chart, create it in | |
# the "master" Release and then leave it unset in all others. Set the `rbac.podSecurityPolicies` | |
# in all non-"master" Releases. | |
podSecurityPolicy: | |
# Add AppArmor and Seccomp annotations | |
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor | |
annotations: | |
spec: | |
seLinux: | |
rule: RunAsAny | |
supplementalGroups: | |
rule: 'MustRunAs' | |
ranges: | |
# Forbid adding the root group. | |
- min: 1 | |
max: 65535 | |
fsGroup: | |
rule: 'MustRunAs' | |
ranges: | |
# Forbid adding the root group. | |
- min: 1 | |
max: 65535 | |
privileged: false | |
allowPrivilegeEscalation: false | |
runAsUser: | |
rule: MustRunAsNonRoot | |
image: | |
repository: docker.io/datawire/aes | |
tag: 1.7.2 | |
pullPolicy: IfNotPresent | |
dnsPolicy: "ClusterFirst" | |
hostNetwork: false | |
service: | |
type: LoadBalancer | |
# Note that target http ports need to match your ambassador configurations service_port | |
# https://www.getambassador.io/reference/modules/#the-ambassador-module | |
ports: | |
- name: http | |
port: 80 | |
targetPort: 8080 | |
# protocol: TCP | |
# nodePort: 30080 | |
# hostPort: 80 | |
- name: https | |
port: 443 | |
targetPort: 8443 | |
# protocol: TCP | |
# nodePort: 30443 | |
# hostPort: 443 | |
# TCPMapping_Port | |
# port: 2222 | |
# targetPort: 2222 | |
# protocol: TCP | |
# nodePort: 30222 | |
externalTrafficPolicy: | |
externalIPs: [] | |
annotations: {} | |
############################################################################# | |
## Ambassador should be configured using CRD definition. If you want | |
## to use annotations, the following is an example of annotating the | |
## Ambassador service with global configuration manifest. | |
## | |
## See https://www.getambassador.io/reference/core/ambassador and | |
## https://www.getambassador.io/reference/core/tls for more info | |
############################################################################# | |
# | |
# getambassador.io/config: | | |
# --- | |
# apiVersion: ambassador/v1 | |
# kind: TLSContext | |
# name: ambassador | |
# secret: ambassador-certs | |
# hosts: ["*"] | |
# --- | |
# apiVersion: ambassador/v1 | |
# kind: Module | |
# name: ambassador | |
# config: | |
# admin_port: 8001 | |
# diag_port: 8877 | |
# diagnostics: | |
# enabled: true | |
# enable_grpc_http11_bridge: false | |
# enable_grpc_web: false | |
# enable_http10: false | |
# enable_ipv4: true | |
# enable_ipv6: false | |
# liveness_probe: | |
# enabled: true | |
# lua_scripts: | |
# readiness_probe: | |
# enabled: true | |
# server_name: envoy | |
# service_port: 8080 | |
# use_proxy_proto: false | |
# use_remote_address: true | |
# xff_num_trusted_hops: 0 | |
# x_forwarded_proto_redirect: false | |
# load_balancer: | |
# policy: round_robin | |
# circuit_breakers: | |
# max_connections: 2048 | |
# retry_policy: | |
# retry_on: "5xx" | |
# cors: | |
adminService: | |
create: true | |
type: ClusterIP | |
port: 8877 | |
# NodePort used if type is NodePort | |
# nodePort: 38877 | |
annotations: | |
{} | |
rbac: | |
# Specifies whether RBAC resources should be created | |
create: true | |
# List of Pod Security Policies to use on the container. | |
# If security.podSecurityPolicy is set, it will be appended to the list | |
podSecurityPolicies: [] | |
# Name of the RBAC resources defaults to the name of the release. | |
# Set nameOverride when installing Ambassador with cluster-wide scope in | |
# different namespaces with the same release name to avoid conflicts. | |
nameOverride: | |
scope: | |
# tells Ambassador to only use resources in the namespace or namespace set by namespace.name | |
singleNamespace: false | |
serviceAccount: | |
# Specifies whether a service account should be created | |
create: true | |
# The name of the service account to use. | |
# If not set and create is true, a name is generated using the fullname template | |
name: | |
deploymentStrategy: | |
type: RollingUpdate | |
restartPolicy: | |
initContainers: [] | |
sidecarContainers: [] | |
livenessProbe: | |
initialDelaySeconds: 30 | |
periodSeconds: 3 | |
failureThreshold: 3 | |
readinessProbe: | |
initialDelaySeconds: 30 | |
periodSeconds: 3 | |
failureThreshold: 3 | |
volumes: [] | |
volumeMounts: [] | |
podLabels: | |
{} | |
podAnnotations: | |
{} | |
# prometheus.io/scrape: "true" | |
# prometheus.io/port: "9102" | |
deploymentLabels: | |
{} | |
deploymentAnnotations: | |
{} | |
# configmap.reloader.stakater.com/auto: "true" | |
resources: | |
# Recommended resource requests and limits for Ambassador | |
limits: | |
cpu: 1000m | |
memory: 600Mi | |
requests: | |
cpu: 200m | |
memory: 300Mi | |
priorityClassName: "" | |
nodeSelector: {} | |
tolerations: [] | |
affinity: {} | |
ambassadorConfig: "" | |
crds: | |
enabled: true | |
create: true | |
keep: true | |
# Prometheus Operator ServiceMonitor configuration | |
# See documentation: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#servicemonitor | |
metrics: | |
serviceMonitor: | |
enabled: false | |
# interval: 30s | |
# scrapeTimeout: 30s | |
# selector: {} | |
################################################################################ | |
## Ambassador Edge Stack Configuration ## | |
################################################################################ | |
# The Ambassador Edge Stack is free for limited use without a license key. | |
# Go to https://{ambassador-host}/edge_stack/admin/#dashboard to register | |
# for a community license key. | |
enableAES: true | |
# Set createSecret: false is installing multiple releases of The Ambassador | |
# Edge Stack in the same namespace. | |
licenseKey: | |
value: | |
createSecret: true | |
secretName: | |
# Annotations to attach to the license-key-secret. | |
annotations: | |
{} | |
# The DevPortal is exposed at /docs/ endpoint in the AES container. | |
# Setting this to true will automatically create routes for the DevPortal. | |
createDevPortalMappings: true | |
# The Ambassador Edge Stack uses a redis instance for managing authentication, | |
# rate limiting, and sharing minor configuration details between pods for | |
# centralized management. These values configure the redis instance that ships | |
# by default with The Ambassador Edge Stack. | |
# | |
# URL of your redis instance. Defaults to redis instance created below. | |
redisURL: | |
# Ambassador ships with a basic redis instance. Configure the deployment with the options below. | |
redis: | |
create: true | |
image: | |
repository: redis | |
tag: 5.0.1 | |
pullPolicy: IfNotPresent | |
# Annotations for Ambassador Pro's redis instance. | |
annotations: | |
deployment: | |
{} | |
service: | |
{} | |
resources: {} | |
# If you want to specify resources, uncomment the following | |
# lines and remove the curly braces after 'resources:'. | |
# These are placeholder values and must be tuned. | |
# limits: | |
# cpu: 100m | |
# memory: 256Mi | |
# requests: | |
# cpu: 50m | |
# memory: 128Mi | |
nodeSelector: {} | |
# Configures the AuthService that ships with the Ambassador Edge Stack. | |
# Setting authService.create: false will not install the AES AuthService and | |
# allow you to define your own. | |
# | |
# Typically when using the AES, you will want to keep this set to true and use | |
# the External Filter to communicate with a custom authentication service. | |
# https://www.getambassador.io/reference/filter-reference/#filter-type-external | |
authService: | |
create: true | |
# Set additional configuration options. See https://www.getambassador.io/reference/services/auth-service for more information | |
optional_configurations: | |
# include_body: | |
# max_bytes: 4096 | |
# allow_partial: true | |
# status_on_error: | |
# code: 403 | |
# failure_mode_allow: false | |
# retry_policy: | |
# retry_on: "5xx" | |
# num_retries: 2 | |
# add_linkerd_headers: true | |
# timeout_ms: 30000 | |
# Configures the RateLimitService in the Ambassador Edge Stack. | |
# Keep this enabled to configure RateLimits in AES. | |
rateLimit: | |
create: true | |
# Projects are a beta feature of Ambassador that allow developers to stage and | |
# deploy code with nothing more than a Github repository. | |
# See: https://www.getambassador.io/docs/latest/topics/using/projects/ | |
registry: | |
create: false | |
# Configures Service Preview that ships with the Ambassador Edge Stack and edgectl. | |
# Setting servicePreview.enabled: true will install the Traffic Agent Service Account, Traffic Manager with RBAC, and ambassador-injector | |
servicePreview: | |
enabled: true | |
trafficManager: | |
image: | |
# Leave blank to use image.repository and image.tag | |
repository: | |
tag: | |
serviceAccountName: "traffic-manager" | |
trafficAgent: | |
image: | |
# Leave blank to use image.repository and image.tag | |
repository: | |
tag: | |
singleNamespace: true | |
serviceAccountName: "traffic-agent" | |
port: 9900 | |
# Configure the ambassador-injector webhook for Service Preview Traffic Agent automatic sidecar injection. | |
injector: | |
enabled: true | |
# If no injector.crtPEM and injector.keyPEM are provided, a self-signed certificate will be issued | |
# for the Common Name (CN) of `<ambassador-injector>.<namespace>.svc`, which is the cluster-internal DNS name | |
# for the service. | |
crtPEM: "" | |
keyPEM: "" | |
securityContext: | |
runAsUser: 8888 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment