From 2b6491d040017f844d961f324f00d581c3aee978 Mon Sep 17 00:00:00 2001 From: Philip Laine Date: Thu, 5 Jun 2025 08:57:45 +0200 Subject: [PATCH] Disable data dir when running Spegel in Kubernetes Signed-off-by: Philip Laine --- CHANGELOG.md | 1 + charts/spegel/README.md | 2 +- charts/spegel/templates/daemonset.yaml | 2 ++ charts/spegel/values.yaml | 9 ++------- 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2d08dd3..8711172 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,6 +38,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [#872](https://github.com/spegel-org/spegel/pull/872) Allow returning libp2p crypto priv key in linter. - [#894](https://github.com/spegel-org/spegel/pull/894) Update Kind to v0.29.0 and Fix Containerd v2 support. - [#899](https://github.com/spegel-org/spegel/pull/899) Handle situation where digest is missing in reigstry response header. +- [#902](https://github.com/spegel-org/spegel/pull/902) Disable data dir when running Spegel in Kubernetes. ### Security diff --git a/charts/spegel/README.md b/charts/spegel/README.md index a7d230f..3c1a800 100644 --- a/charts/spegel/README.md +++ b/charts/spegel/README.md @@ -30,7 +30,7 @@ Read the [getting started](https://spegel.dev/docs/getting-started/) guide to de | priorityClassName | string | `"system-node-critical"` | Priority class name to use for the pod. | | resources | object | `{"limits":{"memory":"128Mi"},"requests":{"memory":"128Mi"}}` | Resource requests and limits for the Spegel container. | | revisionHistoryLimit | int | `10` | The number of old history to retain to allow rollback. | -| securityContext | object | `{}` | Security context for the Spegel container. | +| securityContext | object | `{"readOnlyRootFilesystem":true}` | Security context for the Spegel container. | | service.cleanup.port | int | `8080` | Port to expose cleanup probe on. | | service.metrics.port | int | `9090` | Port to expose the metrics via the service. | | service.registry.hostPort | int | `30020` | Local host port to expose the registry. | diff --git a/charts/spegel/templates/daemonset.yaml b/charts/spegel/templates/daemonset.yaml index 42a57e4..ad5e538 100644 --- a/charts/spegel/templates/daemonset.yaml +++ b/charts/spegel/templates/daemonset.yaml @@ -104,6 +104,8 @@ spec: {{- end }} - --debug-web-enabled={{ .Values.spegel.debugWebEnabled }} env: + - name: DATA_DIR + value: "" {{- if ((.Values.resources).limits).cpu }} - name: GOMAXPROCS valueFrom: diff --git a/charts/spegel/values.yaml b/charts/spegel/values.yaml index d0cf648..1f5510d 100644 --- a/charts/spegel/values.yaml +++ b/charts/spegel/values.yaml @@ -35,13 +35,8 @@ podSecurityContext: {} revisionHistoryLimit: 10 # -- Security context for the Spegel container. -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 +securityContext: + readOnlyRootFilesystem: true service: registry: