Move to non-root container

observatorium / thanos-receive-controller

Kubernetes controller to automatically configure Thanos receive hashrings

Apache License 2.0

93 stars 42 forks source link

Move to non-root container #57

Closed alex1989hu closed 3 years ago

alex1989hu commented 3 years ago

Move to gcr.io/distroless/static image which has non-root user.

Signed-off-by: Alex Szakaly alex.szakaly@gmail.com

Fixes #56

brancz commented 3 years ago

lgtm :+1:

cc @squat @kakkoyun @metalmatze

alex1989hu commented 3 years ago

🥇 LGTM. Of course, we'd prefer things more secure.

@alex1989hu Can I assume you have already tested it and good go?

Sure, the container is fine. Furthermore, it also fine with hardened options spec.template.spec.containers:

        securityContext:
          allowPrivilegeEscalation: false
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          capabilities:
            drop:
             - ALL