Hi, thanks for creating this. I've just deployed it on an OpenShift cluster and to get it to run, I've had to do the following:
create service account
oc create sa modsecurity-crs-proxy-sa
grant service account access to nonroot-v2 SCC
oc adm policy add-scc-to-user nonroot-v2 -z modsecurity-crs-proxy-sa
update the deployment to use the SA, and apply securityContexts so that it runs with the expected user
oc patch deployment modsecurity-crs-proxy --type='strategic' -p '{
"spec": {
"template": {
"spec": {
"serviceAccountName": "modsecurity-crs-proxy-sa",
"securityContext": {
"runAsUser": 999,
"runAsGroup": 999,
"fsGroup": 999
}
}
}
}
}'This is because the the apache image (see Dockerfile) specifies:
RUN useradd --system httpd
RUN set -eux; \
...
...
USER httpd
ENTRYPOINT ["/docker-entrypoint.sh"]
HEALTHCHECK CMD /usr/local/bin/healthcheck
# Use httpd-foreground from upstream
CMD ["httpd-foreground"]
Otherwise the container goes into error state and the pod logs show lots of access denied entries.
Hi, thanks for creating this. I've just deployed it on an OpenShift cluster and to get it to run, I've had to do the following:
create service account
grant service account access to nonroot-v2 SCC
update the deployment to use the SA, and apply securityContexts so that it runs with the expected user
This is because the the apache image (see Dockerfile) specifies:
Otherwise the container goes into error state and the pod logs show lots of
access deniedentries.