chore: updated cloud tty image reference and user (#823)

merll · web-flow · commit 57dbb77f69ff · 2025-10-31T10:22:14.000+01:00
* chore: updated cloud tty image reference and user

* chore: updated cloud tty image reference and user for admin

* fix: added ttyd writable argument

* chore: update to new tty image and remove overrides

* chore: update to tty image with bash entrypoint

* chore: adopt latest optimizations to tty image

* feat: added security context for improved policy compliance
diff --git a/src/ttyManifests/adminTtyManifests/tty_02_Pod.yaml b/src/ttyManifests/adminTtyManifests/tty_02_Pod.yaml
@@ -9,14 +9,14 @@ metadata:
 spec:
   serviceAccountName: tty-$SUB
   securityContext:
-    runAsUser: 1000
-    runAsGroup: 1000
-  volumes:
-    - name: kconfig
-      configMap:
-        name: kconfig-team-$TARGET_TEAM
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+    runAsUser: 1001
+    runAsGroup: 1001
+    fsGroup: 1001
   containers:
-    - image: linode/apl-tty:1.2.1
+    - image: linode/apl-tty:1.2.5
       name: po
       resources:
         requests:
@@ -25,12 +25,12 @@ spec:
         limits:
           memory: '256Mi'
           cpu: '500m'
-      volumeMounts:
-        - name: kconfig
-          mountPath: /etc/kconfig
-      command:
-        - bash
-        - -c
-        - bash /etc/kconfig/kconfig.sh && ttyd -w /home/user -p 8080 tmux new -A
+      env:
+        - name: NAMESPACE
+          value: team-$TARGET_TEAM
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
 ---
-
diff --git a/src/ttyManifests/tty_02_Pod.yaml b/src/ttyManifests/tty_02_Pod.yaml
@@ -9,14 +9,14 @@ metadata:
 spec:
   serviceAccountName: tty-$SUB
   securityContext:
-    runAsUser: 1000
-    runAsGroup: 1000
-  volumes:
-    - name: kconfig
-      configMap:
-        name: kconfig-team-$TARGET_TEAM
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+    runAsUser: 1001
+    runAsGroup: 1001
+    fsGroup: 1001
   containers:
-    - image: linode/apl-tty:1.2.1
+    - image: linode/apl-tty:1.2.5
       name: po
       resources:
         requests:
@@ -25,12 +25,12 @@ spec:
         limits:
           memory: '256Mi'
           cpu: '500m'
-      volumeMounts:
-        - name: kconfig
-          mountPath: /etc/kconfig
-      command:
-        - bash
-        - -c
-        - bash /etc/kconfig/kconfig.sh && ttyd -w /home/user -p 8080 tmux new -A
+      env:
+        - name: NAMESPACE
+          value: team-$TARGET_TEAM
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
 ---
-
