search

oauth2-proxy / manifests

For hosting manifests to allow for the deployment of OAuth2-Proxy/OAuth2-Proxy
Apache License 2.0
170 stars 153 forks source link

Provide good securityContext by default #142

Closed jemag closed 1 year ago

jemag commented 1 year ago

Describe the solution you'd like Provide good default for the various securityContext like:

  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - ALL
    readOnlyRootFilesystem: true
    runAsGroup: 2000
    runAsNonRoot: true
    runAsUser: 2000
    seccompProfile:
      type: RuntimeDefault

Currently securityContext is not enabled, although some values are potentially suggested in comment, e.g:

securityContext:
  enabled: false
  runAsNonRoot: true
  # allowPrivilegeEscalation: false
  # runAsUser: 2000

What is the added value? This would improve the default security out of the box for helm chart users. If the containers currently support it, there isn't much downside to improving the default security.

It also helps clarifying to the end-user that these values are officially supported and will not cause any problem with the containers (e.g.: readOnlyRootFilesystem: true could for example cause problems for containers expecting to write to specific directories). By having them already specified, the end-user does not need to do extensive testing to ensure it does not cause any issue.

jemag commented 1 year ago

I can submit a PR with improved default securityContext if you would like

pierluigilenoci commented 1 year ago

@jemag It would be nice if you create a PR for this. Even if changing a chart's default configuration is risky, please consider it carefully.