I'd like to suggest a couple of improvements to the securityContext in the StatefulSet of standalone memgraph helm chart. I've successfully tested these in our installation with the chart version 0.1.3:
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: residency
spec:
template:
spec:
initContainers:
- name: init-volume-mounts
securityContext:
# Runs only chown on the mounted PVC so no need to write to root fs
readOnlyRootFilesystem: true
# `ALL` instead of `all` - case matters, see https://github.com/kubernetes/pod-security-admission/issues/11
capabilities:
drop:
- ALL
containers:
- name: memgraph
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 101
capabilities:
drop:
- ALL
In addition it may be helpful to add the securityContext settings to the default values to make it more transparent and allow users to change them in case of edge cases that may not work with the defaults.
What happened?
I'd like to suggest a couple of improvements to the securityContext in the StatefulSet of standalone memgraph helm chart. I've successfully tested these in our installation with the chart version 0.1.3:
In addition it may be helpful to add the securityContext settings to the default values to make it more transparent and allow users to change them in case of edge cases that may not work with the defaults.
Chart type
Standalone
Chart version
0.1.3
Environment
Kubernetes 1.27
Relevant log output
No response