Hardening the deployment

[iamasmith]

external-mdns quite happily runs with this in the container config...

    spec:
      hostNetwork: true
      serviceAccountName: external-mdns
      containers:
      - name: external-mdns
        securityContext:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]
        image: blakec/external-mdns:latest
        args:
        - -source=ingress
        - -source=service

In the K8S world showing that your service needs as little privilege as possible helps with acceptance so I would suggest that these at least are included in the suggested deployments. Additionally, it's probable with the service may work with a non root user allowing the use of additional controls to be applied, I'll test this shortly and add more comment. In Scratch containers we achieve this by creating a dummy /etc/passwd and using a USER statement in the Dockerfile, it needn't add any additional layers to the container if you structure the prep correctly in the build container where the golang binary is built. It may sound overkill considering that it's a scratch container with no userland tools on it to exec into but I'm just applying the approach I use at work for Scratch containers, show that the app can be trusted by the fact that it can exist in such constraints and it's easy to check the image for the runtime user etc. prior to approving it. I'll test and raise an MR around this to demo.