Additional security settings for pganalyze collector

Question

Additional security settings for pganalyze collector

jawnsy opened this issue a year ago · comments

We've been using these settings successfully for quite some time, so I thought I'd contribute these upstream if it's of interest to you.

Container volumes/security context:

          volumeMounts:
            - mountPath: /tmp
              name: scratch
              subPath: tmp
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
            seccompProfile:
              type: RuntimeDefault

Pod security context:

      securityContext:
        runAsGroup: 65532
        runAsNonRoot: true
        runAsUser: 65532
        seccompProfile:
          type: RuntimeDefault
      volumes:
        - name: scratch
          emptyDir: {}
      enableServiceLinks: false

Lukas Fittl · Answer 1 · Fri Jul 28 2023 10:28:56 GMT+0800 (China Standard Time)

@jawnsy Thanks - those seem useful! Would your idea be to add them to Helm chart?

Jonathan Yu · Answer 2 · Fri Jul 28 2023 10:33:20 GMT+0800 (China Standard Time)

Yup, exactly. Happy to open a pull request!

Lukas Fittl · Answer 3 · Fri Jul 28 2023 10:43:45 GMT+0800 (China Standard Time)

@jawnsy Sounds good!