From 5ef7b74a33beb4c7a655ad5a141969a0ea2201f7 Mon Sep 17 00:00:00 2001 From: Peter Kurfer Date: Tue, 7 May 2024 16:07:29 +0200 Subject: [PATCH] chore(snips): configure security context --- snips/kustomization.yaml | 2 +- snips/resources/statefulset.yaml | 35 ++++++++++++++++++++++++++------ 2 files changed, 30 insertions(+), 7 deletions(-) diff --git a/snips/kustomization.yaml b/snips/kustomization.yaml index 1db0151..127c43d 100644 --- a/snips/kustomization.yaml +++ b/snips/kustomization.yaml @@ -9,7 +9,7 @@ images: newTag: v0.3.2 - name: litestream newName: litestream/litestream - newTag: "0.3" + newTag: "0.3.13" labels: - includeSelectors: true diff --git a/snips/resources/statefulset.yaml b/snips/resources/statefulset.yaml index cccf1f5..e6fa242 100644 --- a/snips/resources/statefulset.yaml +++ b/snips/resources/statefulset.yaml @@ -18,12 +18,6 @@ spec: - name: init-litestream image: litestream args: ['restore', '-if-db-not-exists', '-if-replica-exists', '/data/snips.db'] - volumeMounts: - - name: data - mountPath: /data - - name: litestream-config - mountPath: /etc/litestream.yml - subPath: litestream.yml env: - name: LITESTREAM_ACCESS_KEY_ID valueFrom: @@ -35,6 +29,18 @@ spec: secretKeyRef: name: snips-secrets key: garage-secret-key + volumeMounts: + - name: data + mountPath: /data + - name: litestream-config + mountPath: /etc/litestream.yml + subPath: litestream.yml + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true containers: - name: snips image: snips @@ -77,6 +83,12 @@ spec: mountPath: /etc/snips - name: data mountPath: /data + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true - name: litestream image: litestream args: ['replicate'] @@ -112,6 +124,17 @@ spec: ports: - name: metrics containerPort: 9090 + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + runAsNonRoot: true affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: