Merge pull request #169 from abnamro/2625849-bug-fix-random-500-error-during-auditing

[#2632286] Fix 500 error coming due to redis permission issue while writing the dump.rdp file for snapshots

Author: amrityamrout

.github/workflows/k8-infra-ci.yaml

@@ -23,7 +23,8 @@ on:
 
 env:
   KUBERNETES_INFRA_DIR: deployment/kubernetes
-  KUBE_AUDIT_TAG: 0.22.0
+  KUBE_AUDIT_VERSION: 0.22.0
+  DATREE_VERSION: 1.9.19
 
 jobs:
   helm-chart-validation:
@@ -84,8 +85,8 @@ jobs:
 
     - name: Install Kubeaudit
       run: |
-       curl -LO https://github.com/Shopify/kubeaudit/releases/download/v${{env.KUBE_AUDIT_TAG}}/kubeaudit_${{env.KUBE_AUDIT_TAG}}_linux_amd64.tar.gz
-       tar -xzvf kubeaudit_${{env.KUBE_AUDIT_TAG}}_linux_amd64.tar.gz
+       curl -LO https://github.com/Shopify/kubeaudit/releases/download/v${{env.KUBE_AUDIT_VERSION}}/kubeaudit_${{env.KUBE_AUDIT_VERSION}}_linux_amd64.tar.gz
+       tar -xzvf kubeaudit_${{env.KUBE_AUDIT_VERSION}}_linux_amd64.tar.gz
        mv kubeaudit /usr/local/bin/
 
     - name: Run Kubeaudit Scan
@@ -95,7 +96,9 @@ jobs:
 
     - name: Install Datree
       run: |
-        curl https://get.datree.io | /bin/bash
+        curl -L -o datree.zip https://github.com/datreeio/datree/releases/download/${{env.DATREE_VERSION}}/datree-cli_${{env.DATREE_VERSION}}_Linux_x86_64.zip
+        unzip datree.zip -d datree
+        mv datree/datree /usr/local/bin/
 
     - name: Run Datree Scan
       id: datree_scan

deployment/kubernetes/charts/resc-redis/templates/redis_configmap.yaml

@@ -7,6 +7,7 @@ metadata:
     app: {{ .Values.global.appName }}
 data:
   redis-config: |
-    maxmemory 6gb
+    maxmemory 1gb
     maxmemory-policy allkeys-lru 
     protected-mode yes
+    save 3600 1

deployment/kubernetes/charts/resc-redis/templates/redis_deployement.yaml

@@ -3,6 +3,8 @@ kind: Deployment
 metadata:
   name: {{ .Values.global.appName }}-redis
   namespace: {{ .Values.global.namespace }}
+  annotations:
+    datree.skip/CONTAINERS_INCORRECT_RUNASUSER_VALUE_LOWUID: irrelevant for redis docker image, skipping.
 spec:
   selector:
     matchLabels:
@@ -20,6 +22,7 @@ spec:
         app: {{ .Values.global.appName }}
         tier: redis
         kubeaudit.io/allow-disabled-apparmor: "apparmor-needs-to-be-installed-on-host"
+        kubeaudit.io/allow-read-only-root-filesystem-false: "required-to-write-log-files"
       annotations:
         rollme: {{ randAlphaNum 5 | quote }}
         {{- with include "resc.redisAnnotations" .}}
@@ -72,15 +75,15 @@ spec:
           timeoutSeconds: 10
         securityContext:
           allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
+          readOnlyRootFilesystem: false
           privileged: false
           capabilities:
             drop:
               - ALL
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-          runAsUser: 10001
+          runAsUser: 999
         livenessProbe:
           exec:
             command:

deployment/kubernetes/charts/resc-redis/values.yaml

@@ -6,11 +6,11 @@ redis:
     pullPolicy: IfNotPresent
   resources:
     requests:
-      cpu: 250m
-      memory: 256Mi
+      cpu: 400m
+      memory: 750M
     limits:
-      cpu: 250m
-      memory: 256Mi
+      cpu: 500m
+      memory: 1G
   config:
     port: 6379
     password: