Additional security settings for pganalyze collector
jawnsy opened this issue · comments
Jonathan Yu commented
We've been using these settings successfully for quite some time, so I thought I'd contribute these upstream if it's of interest to you.
Container volumes/security context:
volumeMounts:
- mountPath: /tmp
name: scratch
subPath: tmp
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Pod security context:
securityContext:
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
volumes:
- name: scratch
emptyDir: {}
enableServiceLinks: false
Lukas Fittl commented
@jawnsy Thanks - those seem useful! Would your idea be to add them to Helm chart?
Jonathan Yu commented
Yup, exactly. Happy to open a pull request!
Lukas Fittl commented
@jawnsy Sounds good!