search

Alvearie / alvearie-helm

repository for the helm chart source and package for Alvearie projects
https://artifacthub.io/packages/helm/linuxforhealth
Apache License 2.0
3 stars 5 forks source link

Made security context configurable and set restrictive defaults #53

Closed chgl closed 3 years ago

chgl commented 3 years ago

This makes both the container and pod security context configurable and sets the default values quite restrictive.

I've been trying to get readOnlyRootFilesystem: true to work, and it does to some extend if you mount all volumes the server tries to write to as emptyDir (https://stackoverflow.com/questions/57274253/how-to-exempt-a-directory-when-using-readonlyrootfilesystem-in-kubernetes). I ended up mounting:

            - mountPath: /config/configDropins/overrides
              name: config-dropins-overrides
            - mountPath: /tmp
              name: tmp
            - mountPath: /opt/ol/wlp/output/defaultServer
              name: output-default-server
            - mountPath: /logs
              name: logs

and although it did run, I still saw a warning related to the server trying to remove some openapi.war from a apps/ dir. So to avoid breaking something, I kept the root filesystem as writeable for now.

I ran the manifests through Polaris and it lifts the score from a B+ to an A-.