Moved part of Kubernetes securityContext spec to container level

This best practice applys the securityContext to all container in the deployment and reduces code duplications Updated Kubernetes deployment spec set readOnlyRootFilesystem and increased initialDelaySeconds Added apk package curl for internal use, updated folder path name by making it consistent moved Bamboo logs to ephemeral storage U[dated Kubernetes deployment manifest to include resources - this is to define resource specs, and added JAVA min max and opts from system resource foo
saidsef · Aug 25, 2023 · 6f9e389 · 6f9e389
1 parent 527f299
commit 6f9e389
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 22 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,17 +1,16 @@
-FROM docker.io/openjdk:jre-alpine
+FROM docker.io/openjdk:22-slim
 
 ARG BUILD_ID=""
-ARG BAMBOO_VERSION=""
+ARG BAMBOO_VERSION="9.2.4"
 ARG PORT=""
 ARG REF=""
 
-LABEL org.opencontainers.image.description="Containerised Atlassian Bomboo Server"
+LABEL org.opencontainers.image.description="Containerised Atlassian Bamboo Server"
 LABEL maintainer="Said Sef <said@saidsef.co.uk> (saidsef.co.uk/)"
 LABEL "uk.co.saidsef.bamboo"="${REF}"
 
 ENV BAMBOO_HOME /data
-# If BAMBOO_VERSION is not supplied during build, use stable version 9.2.4
-ENV BB_PKG_NAME atlassian-bamboo-${BAMBOO_VERSION:-9.2.4}
+ENV BB_PKG_NAME atlassian-bamboo-${BAMBOO_VERSION}
 ENV PATH /opt/$BB_PKG_NAME/bin:$PATH
 ENV HOME /tmp
 ENV PORT ${PORT:-8085}
@@ -22,22 +21,22 @@ USER root
 WORKDIR $BAMBOO_HOME
 
 # Install wget and Download Bamboo
-RUN apk add --update --no-cache wget bash openssl procps && \
+RUN apt-get update && \
+    apt-get install -yq wget curl && \
     echo $BB_PKG_NAME && \
     wget https://www.atlassian.com/software/bamboo/downloads/binary/$BB_PKG_NAME.tar.gz && \
     tar xvzf $BB_PKG_NAME.tar.gz && \
     rm -vf $BB_PKG_NAME.tar.gz && \
     mkdir -p /opt && \
-    mv $BB_PKG_NAME /opt && \
-    rm -rf /var/cache/apk/*
+    mv $BB_PKG_NAME /opt/atlassian-bamboo
 
 # COPY bamboo-init.properties config
-COPY config/bamboo-init.properties /opt/$BB_PKG_NAME/WEB-INF/classes/
-COPY config/bamboo-init.properties /opt/$BB_PKG_NAME/
+COPY config/bamboo-init.properties /opt/atlassian-bamboo/WEB-INF/classes/
+COPY config/bamboo-init.properties /opt/atlassian-bamboo/
 
-# # Fix dir permissions/ownership
-RUN chmod a+rwx /opt/$BB_PKG_NAME/WEB-INF/classes/bamboo-init.properties && \
-    chown nobody:nobody -R /opt/$BB_PKG_NAME
+# Fix dir permissions/ownership
+RUN chmod a+rwx /opt/atlassian-bamboo/WEB-INF/classes/bamboo-init.properties && \
+    chown nobody:nobody -R /opt/atlassian-bamboo
 
 USER nobody
 
@@ -48,4 +47,4 @@ VOLUME ["/data"]
 EXPOSE ${PORT}
 
 # Define default command.
-CMD /opt/$BB_PKG_NAME/bin/start-bamboo.sh -fg
+CMD /opt/atlassian-bamboo/bin/start-bamboo.sh -fg
diff --git a/deployment/base/statefulset.yml b/deployment/base/statefulset.yml
@@ -22,6 +22,10 @@ spec:
         name: bamboo
         app: bamboo
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsGroup: 65534
+        runAsUser: 65534
       containers:
         - image: docker.io/saidsef/atlassian-bamboo-cicd:v2023.04
           imagePullPolicy: Always
@@ -30,24 +34,31 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: status.hostIP
+            # - name: JAVA_OPTS
+            #   value: "-XX:+UseContainerSupport"
           name: bamboo
           ports:
             - protocol: TCP
               containerPort: 8085
               name: bamboo
+          resources:
+            limits:
+              cpu: 500m
+              memory: 1Gi
+              ephemeral-storage: 3Gi
           livenessProbe:
             exec:
               command:
                 - pgrep
                 - java
-            initialDelaySeconds: 3
+            initialDelaySeconds: 30
             periodSeconds: 3
             successThreshold: 1
             timeoutSeconds: 2
           readinessProbe:
             tcpSocket:
               port: bamboo
-            initialDelaySeconds: 5
+            initialDelaySeconds: 30
             periodSeconds: 5
             successThreshold: 1
             timeoutSeconds: 1
@@ -56,18 +67,18 @@ spec:
               type: RuntimeDefault
             allowPrivilegeEscalation: false
             privileged: false
-            runAsGroup: 65534
-            runAsUser: 65534
-            runAsNonRoot: true
-            readOnlyRootFilesystem: false
+            readOnlyRootFilesystem: true
             capabilities:
               drop:
                 - ALL
           volumeMounts:
-            - name: bamboo-storage
+            - name: data
               mountPath: /data
               subPath: data
+            - name: data
+              mountPath: /opt/atlassian-bamboo/logs
+              subPath: logs
       volumes:
-        - name: bamboo-storage
+        - name: data
           emptyDir:
             sizeLimit: 3Gi