Change summary

script/deploy                    | 10 +++++-----
script/kube-shell                | 11 +++++++++++
server/k8s/manifest.template.yml |  5 +++++
3 files changed, 21 insertions(+), 5 deletions(-)

Detailed changes

@@ -22,16 +22,16 @@ if [[ ! -f $ENV_FILE ]]; then
   exit 1
 fi
 
-if [[ -n $(git status --short) ]]; then
-  echo "Cannot deploy with uncommited changes"
+if [[ $ZED_KUBE_NAMESPACE == "production" && -n $(git status --short) ]]; then
+  echo "Cannot deploy uncommited changes to production"
   exit 1
 fi
 
 git_sha=$(git rev-parse HEAD)
-export ZED_IMAGE_ID=registry.digitalocean.com/zed/zed-server:${ZED_KUBE_NAMESPACE}-${git_sha}
+export ZED_IMAGE_ID="registry.digitalocean.com/zed/zed-server:${ZED_KUBE_NAMESPACE}-${git_sha}"
 export $(cat $ENV_FILE)
 
-docker build . --tag $ZED_IMAGE_ID
-docker push $ZED_IMAGE_ID
+docker build . --tag "$ZED_IMAGE_ID"
+docker push "$ZED_IMAGE_ID"
 
 envsubst < server/k8s/manifest.template.yml | kubectl apply -f -

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+if [[ $# < 1 ]]; then
+  echo "Usage: $0 [production|staging|...]"
+  exit 1
+fi
+
+export ZED_KUBE_NAMESPACE=$1
+
+pod=$(kubectl --namespace=${ZED_KUBE_NAMESPACE} get pods --selector=app=zed --output=jsonpath='{.items[*].metadata.name}')
+exec kubectl --namespace $ZED_KUBE_NAMESPACE exec --tty --stdin $pod -- /bin/bash

@@ -76,3 +76,8 @@ spec:
                 secretKeyRef:
                   name: github
                   key: privateKey
+          securityContext:
+            capabilities:
+              # FIXME - Switch to the more restrictive `PERFMON` capability.
+              # This capability isn't yet available in a stable version of Debian.
+              add: ["SYS_ADMIN"]