chore(ollama): set pod security standards
This commit is contained in:
Masaki Yatsu
@@ -29,6 +29,12 @@ create-namespace:
|
|||||||
if ! kubectl get namespace ${OLLAMA_NAMESPACE} &>/dev/null; then
|
if ! kubectl get namespace ${OLLAMA_NAMESPACE} &>/dev/null; then
|
||||||
kubectl create namespace ${OLLAMA_NAMESPACE}
|
kubectl create namespace ${OLLAMA_NAMESPACE}
|
||||||
fi
|
fi
|
||||||
|
kubectl label namespace ${OLLAMA_NAMESPACE} \
|
||||||
|
pod-security.kubernetes.io/enforce=restricted \
|
||||||
|
pod-security.kubernetes.io/enforce-version=latest \
|
||||||
|
pod-security.kubernetes.io/warn=restricted \
|
||||||
|
pod-security.kubernetes.io/warn-version=latest \
|
||||||
|
--overwrite
|
||||||
|
|
||||||
# Delete Ollama namespace
|
# Delete Ollama namespace
|
||||||
delete-namespace:
|
delete-namespace:
|
||||||
|
|||||||
@@ -19,6 +19,21 @@ ollama:
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
|
podSecurityContext:
|
||||||
|
fsGroup: 1000
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 1000
|
||||||
|
runAsNonRoot: true
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
|
||||||
persistentVolume:
|
persistentVolume:
|
||||||
enabled: true
|
enabled: true
|
||||||
size: {{ .Env.OLLAMA_STORAGE_SIZE }}
|
size: {{ .Env.OLLAMA_STORAGE_SIZE }}
|
||||||
|
|||||||
Reference in New Issue
Block a user