search

memgraph / helm-charts

Helm charts for deploying Memgraph, an open-source in-memory graph database.
https://memgraph.github.io/helm-charts/
Apache License 2.0
13 stars 9 forks source link

[Bug]: memgraph containers not running with least privilege security context #36

Open tmyhu opened 2 weeks ago

tmyhu commented 2 weeks ago

What happened?

I'd like to suggest a couple of improvements to the securityContext in the StatefulSet of standalone memgraph helm chart. I've successfully tested these in our installation with the chart version 0.1.3:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: residency
spec:
  template:
    spec:
      initContainers:
        - name: init-volume-mounts
          securityContext:
            # Runs only chown on the mounted PVC so no need to write to root fs
            readOnlyRootFilesystem: true
            # `ALL` instead of `all` - case matters, see https://github.com/kubernetes/pod-security-admission/issues/11
            capabilities:
              drop:
                - ALL
      containers:
        - name: memgraph
          securityContext:
            allowPrivilegeEscalation: false
            runAsNonRoot: true
            runAsUser: 101
            capabilities:
              drop:
                - ALL

In addition it may be helpful to add the securityContext settings to the default values to make it more transparent and allow users to change them in case of edge cases that may not work with the defaults.

Chart type

Standalone

Chart version

0.1.3

Environment

Kubernetes 1.27

Relevant log output

No response

antejavor commented 2 weeks ago

Hi @tmyhu, thanks for bringing this to our attention and opening the issue, I will take a look.