diff --git a/release/kubernetes-manifests.yaml b/release/kubernetes-manifests.yaml index 56155fe8b48..7686c172f70 100644 --- a/release/kubernetes-manifests.yaml +++ b/release/kubernetes-manifests.yaml @@ -33,9 +33,21 @@ spec: spec: serviceAccountName: default terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 containers: - name: server - image: gcr.io/google-samples/microservices-demo/emailservice:v0.3.8 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/emailservice:v0.3.9 ports: - containerPort: 8080 env: @@ -88,9 +100,21 @@ spec: app: checkoutservice spec: serviceAccountName: default + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 containers: - name: server - image: gcr.io/google-samples/microservices-demo/checkoutservice:v0.3.8 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/checkoutservice:v0.3.9 ports: - containerPort: 5050 readinessProbe: @@ -158,9 +182,21 @@ spec: spec: serviceAccountName: default terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 containers: - name: server - image: gcr.io/google-samples/microservices-demo/recommendationservice:v0.3.8 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/recommendationservice:v0.3.9 ports: - containerPort: 8080 readinessProbe: @@ -219,9 +255,21 @@ spec: sidecar.istio.io/rewriteAppHTTPProbers: "true" spec: serviceAccountName: default + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 containers: - name: server - image: gcr.io/google-samples/microservices-demo/frontend:v0.3.8 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/frontend:v0.3.9 ports: - containerPort: 8080 readinessProbe: @@ -318,9 +366,21 @@ spec: spec: serviceAccountName: default terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 containers: - name: server - image: gcr.io/google-samples/microservices-demo/paymentservice:v0.3.8 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/paymentservice:v0.3.9 ports: - containerPort: 50051 env: @@ -374,9 +434,21 @@ spec: spec: serviceAccountName: default terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 containers: - name: server - image: gcr.io/google-samples/microservices-demo/productcatalogservice:v0.3.8 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/productcatalogservice:v0.3.9 ports: - containerPort: 3550 env: @@ -432,9 +504,21 @@ spec: spec: serviceAccountName: default terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 containers: - name: server - image: gcr.io/google-samples/microservices-demo/cartservice:v0.3.8 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/cartservice:v0.3.9 ports: - containerPort: 7070 env: @@ -489,6 +573,11 @@ spec: serviceAccountName: default terminationGracePeriodSeconds: 5 restartPolicy: Always + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 initContainers: - command: - /bin/sh @@ -507,7 +596,14 @@ spec: value: "frontend:80" containers: - name: main - image: gcr.io/google-samples/microservices-demo/loadgenerator:v0.3.8 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/loadgenerator:v0.3.9 env: - name: FRONTEND_ADDR value: "frontend:80" @@ -536,9 +632,21 @@ spec: spec: serviceAccountName: default terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 containers: - name: server - image: gcr.io/google-samples/microservices-demo/currencyservice:v0.3.8 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/currencyservice:v0.3.9 ports: - name: grpc containerPort: 7000 @@ -592,9 +700,21 @@ spec: app: shippingservice spec: serviceAccountName: default + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 containers: - name: server - image: gcr.io/google-samples/microservices-demo/shippingservice:v0.3.8 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/shippingservice:v0.3.9 ports: - containerPort: 50051 env: @@ -649,8 +769,20 @@ spec: labels: app: redis-cart spec: + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 containers: - name: redis + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true image: redis:alpine ports: - containerPort: 6379 @@ -685,7 +817,7 @@ spec: selector: app: redis-cart ports: - - name: redis + - name: tls-redis port: 6379 targetPort: 6379 --- @@ -704,9 +836,21 @@ spec: spec: serviceAccountName: default terminationGracePeriodSeconds: 5 + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 containers: - name: server - image: gcr.io/google-samples/microservices-demo/adservice:v0.3.8 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + privileged: false + readOnlyRootFilesystem: true + image: gcr.io/google-samples/microservices-demo/adservice:v0.3.9 ports: - containerPort: 9555 env: