Skip to content

Commit

Permalink
Move serviceAccountName above initContainers key
Browse files Browse the repository at this point in the history 
Add additional spacing to make it visually clearer that the lists are
underneath the key above.
  • Loading branch information
@rogueresistor @dustin-decker
rogueresistor authored and dustin-decker committed Feb 28, 2020
1 parent 430e5f7 commit 4872978
Showing 1 changed file with 29 additions and 29 deletions.
58 changes: 29 additions & 29 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,37 +139,37 @@ kind: Pod
metadata:
name: awesome-app
spec:
volumes:
- name: vault-secrets
emptyDir:
medium: Memory
initContainers:
serviceAccountName: awesome-app
- name: daytona
image: gcr.io/supa-fast-c432/daytona@sha256:abcd123
securityContext:
runAsUser: 9999
allowPrivilegeEscalation: false
volumeMounts:
volumes:
- name: vault-secrets
mountPath: /home/vault
env:
- name: K8S_AUTH
value: "true"
- name : K8S_AUTH_MOUNT
value: "kubernetes-gcp-dev-cluster"
- name: SECRET_ENV
value: "true"
- name: TOKEN_PATH
value: /home/vault/.vault-token
- name: VAULT_AUTH_ROLE
value: awesome-app-vault-role-name
- name: SECRET_PATH
value: /home/vault/secrets
- name: VAULT_SECRETS_APP
value: secret/path/to/app
- name: VAULT_SECRETS_GLOBAL
value: secret/path/to/global/metrics
emptyDir:
medium: Memory
initContainers:
- name: daytona
image: gcr.io/supa-fast-c432/daytona@sha256:abcd123
securityContext:
runAsUser: 9999
allowPrivilegeEscalation: false
volumeMounts:
- name: vault-secrets
mountPath: /home/vault
env:
- name: K8S_AUTH
value: "true"
- name : K8S_AUTH_MOUNT
value: "kubernetes-gcp-dev-cluster"
- name: SECRET_ENV
value: "true"
- name: TOKEN_PATH
value: /home/vault/.vault-token
- name: VAULT_AUTH_ROLE
value: awesome-app-vault-role-name
- name: SECRET_PATH
value: /home/vault/secrets
- name: VAULT_SECRETS_APP
value: secret/path/to/app
- name: VAULT_SECRETS_GLOBAL
value: secret/path/to/global/metrics
````

Note the `securityContext` provided above. Without it, the daytona container runs as UID 0, which is root. Because daytona writes files with `0600` permissions, the files are only readable by a user with the same UID. It is necessary to run your other containers in the pod with the same `securityContext` in order to read the files that daytona places.
Expand Down

0 comments on commit 4872978

Please sign in to comment.