itzg / minecraft-server-charts

MIT License
279 stars 144 forks source link

Use strict security context #154

Closed uhthomas closed 1 year ago

uhthomas commented 1 year ago

The current default values do not comply with the restricted pod security policy.

See:

Something like this should be fine:

podSecurityContext:
  runAsUser: 1000
  runAsGroup: 3000
  runAsNonRoot: true
  fsGroup: 2000
  seccompProfile:
    type: RuntimeDefault

securityContext:
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false

I've tested this security context and it works as expected, assuming /tmp is mounted as writable.