-
Notifications
You must be signed in to change notification settings - Fork 8.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bitnami/ghost] feat!: 🔒 💥 Improve security defaults #24785
Conversation
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
- name: prepare-base-dir | ||
image: {{ include "ghost.image" . }} | ||
imagePullPolicy: {{ .Values.image.pullPolicy | quote }} | ||
{{- if .Values.resources }} | ||
resources: {{- toYaml .Values.resources | nindent 12 }} | ||
{{- else if ne .Values.resourcesPreset "none" }} | ||
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} | ||
{{- end }} | ||
{{- if .Values.containerSecurityContext.enabled }} | ||
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} | ||
{{- end }} | ||
command: | ||
- /bin/bash | ||
args: | ||
- -ec | ||
- | | ||
#!/bin/bash | ||
|
||
. /opt/bitnami/scripts/liblog.sh | ||
|
||
info "Copying base dir to empty dir" | ||
# In order to not break the application functionality (such as upgrades or plugins) we need | ||
# to make the base directory writable, so we need to copy it to an empty dir volume | ||
cp -r --preserve=mode /opt/bitnami/ghost /emptydir/app-base-dir | ||
volumeMounts: | ||
- name: empty-dir | ||
mountPath: /emptydir |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No symlinks?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ghost does not use apache, and Ghost already prints to stdout
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
* [bitnami/ghost] feat!: 🔒 💥 Improve security defaults Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * fix: 🐛 Use .containerPort in networkPolicy Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
BREAKING CHANGE
Signed-off-by: Javier Salmeron Garcia jsalmeron@vmware.com
Description of the change
This major bump changes the following security defaults:
runAsGroup
is changed from0
to1001
readOnlyRootFilesystem
is set totrue
resourcesPreset
is changed fromnone
to the minimum size working in our test suites (NOTE:resourcesPreset
is not meant for production usage, butresources
adapted to your use case).global.compatibility.openshift.adaptSecurityContext
is changed fromdisabled
toauto
.Benefits
Possible drawbacks
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
Applicable issues
Additional information
Checklist
Chart.yaml
according to semver. This is not necessary when the changes only affect README.md files.README.md
using readme-generator-for-helm