Update backend security context.

fergmac · fergmac · commit 2ba0252bbd42 · 2025-01-08T14:41:44.000-08:00
diff --git a/backend/Dockerfile b/backend/Dockerfile
@@ -54,4 +54,6 @@ CMD sh -c "python3 manage.py migrate --noinput && \
     python3 manage.py createinitialrevisions && \
     python3 manage.py collectstatic --noinput && \
     # python3 manage.py export --cleanup=1 --upload=1 && \
-    python3 manage.py runserver 0.0.0.0:8000"
+    python3 manage.py runserver 0.0.0.0:8000"
+
+USER 1001
diff --git a/backend/openshift.deploy.yml b/backend/openshift.deploy.yml
@@ -14,16 +14,16 @@ parameters:
     required: true
   - name: CPU_REQUEST
     required: false
-    value: 200m
+    value: 100m
   - name: CPU_LIMIT
     required: false
-    value: 1000m
+    value: 500m
   - name: MEMORY_REQUEST
     required: false
-    value: 1500Mi
+    value: 750Mi
   - name: MEMORY_LIMIT
     required: false
-    value: 2Gi
+    value: 1Gi
   - name: E_LICENSING_URL
     required: true
   - name: DB_REPLICATE
@@ -459,19 +459,19 @@ objects:
             requests:
               cpu: "${CPU_REQUEST}"
               memory: "${MEMORY_REQUEST}"
-          readinessProbe:
-            httpGet:
-              path: /health
-              port: 8000
+          # readinessProbe:
+          #   httpGet:
+          #     path: /health
+          #     port: 8000
             # initialDelaySeconds: 20
             # timeoutSeconds: 3
             # periodSeconds: 5
             # successThreshold: 1
             # failureThreshold: 5
-          livenessProbe:
-            httpGet:
-              path: /health
-              port: 8000
+          # livenessProbe:
+          #   httpGet:
+          #     path: /health
+          #     port: 8000
             # initialDelaySeconds: 20
             # timeoutSeconds: 3
             # periodSeconds: 30
@@ -483,7 +483,9 @@ objects:
         restartPolicy: Always
         terminationGracePeriodSeconds: 30
         dnsPolicy: ClusterFirst
-        securityContext: {}
+        securityContext:
+          capabilities:
+            add: ["NET_BIND_SERVICE"]
         schedulerName: default-scheduler
 - apiVersion: autoscaling/v1
   kind: HorizontalPodAutoscaler
diff --git a/common/openshift.init.yml b/common/openshift.init.yml
@@ -140,5 +140,12 @@ objects:
       labels:
         template: nr-gwells-backend-network-security-policy
     spec:
+      podSelector: {}
+      ingress:
+        - from:
+            - namespaceSelector:
+                matchLabels:
+                  environment: dev
+                  name: cd43d9
       policyTypes:
-        - Ingress
+        - Ingress
