search

okteto / cert-manager-webhook-civo

A webhook to use CIVO DNS as a DNS issuer for cert-manager.
Apache License 2.0
22 stars 8 forks source link

Run as non-root user #22

Closed j-zimnowoda closed 11 months ago

j-zimnowoda commented 12 months ago

Hi there, We are testing the integration of this webhook with otomi-core project.

Would you consider running it as a non-root user ? It would strengthen the security posture and allow to define a proper security context in the values.yaml file. E.g.:

# Pod Security Context
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault

# Container Security Context to be set on the controller component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true

Cheers!

rberrelleza commented 12 months ago

Yes, this would be great. It's been on my mind for a while. @j-zimnowoda if you have this working, would you mind sending a PR?

j-zimnowoda commented 12 months ago

sure, just opened PR

rberrelleza commented 11 months ago

fixed by #23