-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add security context that we recommend for the image #32
Conversation
I will review and test this tomorrow at work |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We may want to consider wrapping the securityContext
block in a conditional, default off for now, until we release a version tagged docker image to reduce risk of hitting any edge cases.
We also should make this change to the StatefulSet
Co-authored-by: Brad Clark <bdashrad@gmail.com>
Co-authored-by: Brad Clark <bdashrad@gmail.com>
Ok, I've created a tag "1.3.4-alpine3.12-k8s-sec-context" on the image repo, which got auto-built and published to the docker hub. Would I now need to change the Chart.yaml's appversion to this tag or would you prefer to have the conditional in place anyway? helm-chart/privatebin/Chart.yaml Line 3 in 109a3c5
|
I need to think about how to do this properly in the stateful set so we don't break anyone using persistent volumes for storage. |
Yes, lets better be careful with this change. Don't know if this is helpful or not: For that k8s setup with an NFS backed persistent volume I had to use an init container in the deployment to set up the permissions (as in the example for the image's README). Maybe if it got used to recursively update the permissions?
Note: The image mentioned above contains only the chown binary built from busybox. |
That seems to be the common way to deal with file permissions in this situation. For example: https://github.com/helm/charts/blob/master/stable/redis/templates/redis-master-statefulset.yaml#L317 |
Hello there. Also ReadWriteMany is not allowed mode within gp2, so made it as a variable in values. Thanks! |
This is an untested change, that I hope will not break any existing setup. I would expect that k8s does run the process as specified in the container with the non-root user ID already and therefore the data gets owned accordingly, but as discussed in #31 it could be made explicit.