Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider using nginx-unprivileged #674

Open
grieshaber opened this issue May 17, 2024 · 1 comment · Fixed by openclarity/vmclarity#1983
Open

Consider using nginx-unprivileged #674

grieshaber opened this issue May 17, 2024 · 1 comment · Fixed by openclarity/vmclarity#1983

Comments

@grieshaber
Copy link

Problem Statement

When deploying VMClarity with the current helm chart to a more restrictive Kubernetes environment, some components fail.
Especially the UI won't work, as the normal nginx image is used, which requires the usage of the root user or lots of adaptions (emptyDir Mount, high port, ...), which are currently not configurable via the helm chart.

Proposed Solution

I'd see two solutions:

  1. Allow more flexibility in the helm chart, e.g. configuring the port of the UI Service, additional volume mounts for emptyDir etc.

  2. Use a secure-by-default approach and use images like nginx-unprivileged and activate the podSecurityContext / containerSecurityContext for UI etc. per default (currently: enabled: false)

Alternatives Considered

There is no alternative to security ;)

Additional Context

n/a
@github-actions GitHub Actions
Copy link

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 14 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

@github-actions github-actions bot added the stale label Jul 21, 2024
@paralta paralta removed the stale label Jul 22, 2024
@zsoltkacsandi zsoltkacsandi linked a pull request Aug 8, 2024 that will close this issue
chore(ui): use nginx-unprivileged base image for the UI openclarity/vmclarity#1983
Merged
13 tasks
@ramizpolic ramizpolic transferred this issue from openclarity/vmclarity Aug 8, 2024
ramizpolic pushed a commit that referenced this issue Aug 10, 2024
@dependabot
chore(deps): bump goreleaser/goreleaser-action from 4 to 5 (#674)
0dfd07a 
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 4 to 5.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@v4...v5)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
ramizpolic pushed a commit that referenced this issue Aug 12, 2024
@dependabot @ramizpolic
chore(deps): bump goreleaser/goreleaser-action from 4 to 5 (#674)
702dd4e 
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 4 to 5.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@v4...v5)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(ui): use nginx-unprivileged base image for the UI openclarity/vmclarity
3 participants
@grieshaber @ramizpolic @paralta