search

immich-app / immich-charts

Helm chart implementation of Immich
https://immich.app
GNU Affero General Public License v3.0
110 stars 48 forks source link

Allow configuring securityContext for the immich-server #112

Closed cjvirtucio87 closed 3 weeks ago

cjvirtucio87 commented 3 weeks ago

I have Pod Security Admission enabled in my environment. This means securityContext has to have specific configuration for every pod's containers:

W0818 15:33:11.560779   11673 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "immich-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "immich-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "immich-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "immich-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

It'd be great if we could configure this on the container for the immich-server pod:

    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      runAsUser: 1000
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault
mmomjian commented 3 weeks ago

Does cap_drop: ALL actually work for Immich? I might have to do some testing on this, I currently only have cap_drop: NET_RAW

bo0tzz commented 3 weeks ago

Since this chart builds on bjw-s's common-library, you can use anything that supports, either at the top level (applying to all Immich pods) or under each specific component's block in the values.yaml.

https://github.com/bjw-s/helm-charts/blob/923ef40a39520979c98f354ea23963ee54f54433/charts/library/common/values.yaml#L188-L192