Merge pull request #1723 from bigchaindb/run-mma-mba-non-root

Run mongodb monitoring and backup agents as non-root user

k8s/mongodb-backup-agent/container/Dockerfile

@@ -20,5 +20,5 @@ RUN apt update \
 COPY mongodb_backup_agent_entrypoint.bash /
 RUN chown -R mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/
 VOLUME /etc/mongod/ssl /etc/mongod/ca
-#USER mongodb-mms-agent - BUG(Krish) Uncomment after tests are complete
+USER mongodb-mms-agent
 ENTRYPOINT ["/mongodb_backup_agent_entrypoint.bash"]

k8s/mongodb-backup-agent/mongo-backup-dep.yaml

@@ -54,12 +54,12 @@ spec:
       - name: mdb-bak-certs
         secret:
           secretName: mdb-bak-certs
-          defaultMode: 0400
+          defaultMode: 0404
       - name: ca-auth
         secret:
           secretName: ca-auth
-          defaultMode: 0400
+          defaultMode: 0404
       - name: cloud-manager-credentials
         secret:
           secretName: cloud-manager-credentials
-          defaultMode: 0400
+          defaultMode: 0404

k8s/mongodb-monitoring-agent/container/Dockerfile

@@ -54,5 +54,5 @@ RUN apt update \
 COPY mongodb_mon_agent_entrypoint.bash /
 RUN chown -R mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/
 VOLUME /etc/mongod/ssl /etc/mongod/ca
-#USER mongodb-mms-agent - BUG(Krish) Uncomment after tests are complete
-ENTRYPOINT ["/mongodb_mon_agent_entrypoint.bash"]
+USER mongodb-mms-agent
+ENTRYPOINT ["/mongodb_mon_agent_entrypoint.bash"]

k8s/mongodb-monitoring-agent/mongo-mon-dep.yaml

@@ -54,12 +54,12 @@ spec:
       - name: mdb-mon-certs
         secret:
           secretName: mdb-mon-certs
-          defaultMode: 0400
+          defaultMode: 0404
       - name: ca-auth
         secret:
           secretName: ca-auth
-          defaultMode: 0400
+          defaultMode: 0404
       - name: cloud-manager-credentials
         secret:
           secretName: cloud-manager-credentials
-          defaultMode: 0400
+          defaultMode: 0404