diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..1cd45f1 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,3 @@ +# Dockerfile.nonroot intentionally starts as root to support PUID/PGID (LSIO pattern). +# The entrypoint.sh creates the user at runtime and drops privileges via su-exec. +DS-0002 diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index 737e68f..cbe2ca7 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -26,10 +26,18 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} ports: - name: http containerPort: {{ .Values.containerPort }} @@ -50,3 +58,17 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} + volumeMounts: + - name: nginx-tmp + mountPath: /etc/nginx/tmp + - name: nginx-cache + mountPath: /var/cache/nginx + - name: nginx-run + mountPath: /var/run + volumes: + - name: nginx-tmp + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-run + emptyDir: {} diff --git a/chart/values.yaml b/chart/values.yaml index 91ea545..676d38c 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -63,6 +63,19 @@ httpRoute: type: PathPrefix value: / +podSecurityContext: + runAsNonRoot: true + runAsUser: 101 + runAsGroup: 101 + fsGroup: 101 + +securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + resources: {} livenessProbe: