-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider using nginx-unprivileged #674
Comments
Thank you for your contribution! This issue has been automatically marked as |
13 tasks
ramizpolic
pushed a commit
that referenced
this issue
Aug 10, 2024
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 4 to 5. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@v4...v5) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
ramizpolic
pushed a commit
that referenced
this issue
Aug 12, 2024
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 4 to 5. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@v4...v5) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Problem Statement
When deploying VMClarity with the current helm chart to a more restrictive Kubernetes environment, some components fail.
Especially the UI won't work, as the normal nginx image is used, which requires the usage of the root user or lots of adaptions (emptyDir Mount, high port, ...), which are currently not configurable via the helm chart.
Proposed Solution
I'd see two solutions:
Allow more flexibility in the helm chart, e.g. configuring the port of the UI Service, additional volume mounts for emptyDir etc.
Use a secure-by-default approach and use images like nginx-unprivileged and activate the podSecurityContext / containerSecurityContext for UI etc. per default (currently:
enabled: false
)Alternatives Considered
There is no alternative to security ;)
Additional Context
n/a
The text was updated successfully, but these errors were encountered: