continuist
f607d93d21
Some checks are pending
CI/CD Pipeline (Fully Isolated DinD) / Run Tests (DinD) (push) Waiting to run
CI/CD Pipeline (Fully Isolated DinD) / Build and Push Docker Images (DinD) (push) Blocked by required conditions
CI/CD Pipeline (Fully Isolated DinD) / Deploy to Production (push) Blocked by required conditions
169 lines
3.8 KiB
YAML
169 lines
3.8 KiB
YAML
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: registry-pod
|
|
labels:
|
|
app: registry
|
|
security: hardened
|
|
spec:
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
# Additional security hardening
|
|
sysctls:
|
|
- name: net.ipv4.ip_forward
|
|
value: "0"
|
|
- name: net.ipv4.conf.all.forwarding
|
|
value: "0"
|
|
- name: net.ipv4.conf.default.forwarding
|
|
value: "0"
|
|
containers:
|
|
- name: registry
|
|
image: registry:2
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
env:
|
|
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY
|
|
value: "/var/lib/registry"
|
|
- name: REGISTRY_STORAGE_DELETE_ENABLED
|
|
value: "false"
|
|
- name: REGISTRY_HTTP_ADDR
|
|
value: "0.0.0.0:5000"
|
|
- name: REGISTRY_HTTP_TLS_CERTIFICATE
|
|
value: "/etc/registry/certs/registry.crt"
|
|
- name: REGISTRY_HTTP_TLS_KEY
|
|
value: "/etc/registry/certs/private/registry.key"
|
|
resources:
|
|
requests:
|
|
cpu: "500m"
|
|
memory: "512Mi"
|
|
limits:
|
|
cpu: "1000m"
|
|
memory: "1Gi"
|
|
volumeMounts:
|
|
- name: registry-data
|
|
mountPath: /var/lib/registry
|
|
readOnly: false
|
|
- name: registry-certs
|
|
mountPath: /etc/registry/certs
|
|
readOnly: true
|
|
- name: tmp-volume
|
|
mountPath: /tmp
|
|
readOnly: false
|
|
ports:
|
|
- containerPort: 5000
|
|
protocol: TCP
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /v2/
|
|
port: 5000
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /v2/
|
|
port: 5000
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
|
|
- name: nginx
|
|
image: nginx:alpine
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
# Additional security hardening
|
|
procMount: Default
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
ports:
|
|
- containerPort: 443
|
|
protocol: TCP
|
|
- containerPort: 4443
|
|
protocol: TCP
|
|
resources:
|
|
requests:
|
|
cpu: "250m"
|
|
memory: "256Mi"
|
|
limits:
|
|
cpu: "500m"
|
|
memory: "512Mi"
|
|
volumeMounts:
|
|
- name: nginx-config
|
|
mountPath: /etc/nginx/nginx.conf
|
|
subPath: nginx.conf
|
|
readOnly: true
|
|
- name: registry-certs
|
|
mountPath: /etc/registry/certs
|
|
readOnly: true
|
|
- name: registry-auth
|
|
mountPath: /etc/nginx/.htpasswd
|
|
subPath: .htpasswd
|
|
readOnly: true
|
|
- name: nginx-logs
|
|
mountPath: /var/log/nginx
|
|
readOnly: false
|
|
- name: tmp-volume
|
|
mountPath: /tmp
|
|
readOnly: false
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: 443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: 443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
|
|
volumes:
|
|
- name: registry-data
|
|
hostPath:
|
|
path: /var/lib/registry/data
|
|
type: Directory
|
|
- name: nginx-config
|
|
hostPath:
|
|
path: /opt/APP_NAME/registry/nginx.conf
|
|
type: File
|
|
- name: registry-certs
|
|
hostPath:
|
|
path: /etc/registry/certs
|
|
type: Directory
|
|
- name: registry-auth
|
|
hostPath:
|
|
path: /etc/registry/auth
|
|
type: Directory
|
|
- name: nginx-logs
|
|
hostPath:
|
|
path: /var/log/nginx
|
|
type: Directory
|
|
- name: tmp-volume
|
|
emptyDir:
|
|
medium: Memory
|
|
sizeLimit: "100Mi"
|