Pod security updates and Helm push #219
Conversation
…d do not automount service accounts
Add GitHub publish action
Pod security updates
Changed chart version
Make mime.types able to be overridden. Make temporary volumes more sc…
…into pod_security_updates
…into pod_security_updates
|
|
There was a problem hiding this comment.
Thank you for your contribution!
There are a few great additions here, and I think it would be helpful from a review and commit-history standpoint to separate them into 2 PRs:
- mimetype config change (since this is straightforward and has limited risk)
- security-related features (pod/security context & automountServiceToken additions). This requires a bit more review and testing to ensure we don't break any existing installations.
| @@ -0,0 +1,35 @@ | |||
| # from https://github.com/wkbrd/docker-registry.helm/blob/main/.github/workflows/helm_release.yaml | |||
There was a problem hiding this comment.
Can you revert changes to this file? We'll update it as part of the release process
There was a problem hiding this comment.
Hi @sklarsa : Do you publish your chart to an OCI registry? If not, that is something that this change would enable. Using an OCI registry standardizes how software is deployed and helps improve the tooling around a secure supply chain.
| - name: tmpfs-tmp | ||
| mountPath: /tmp | ||
| - name: tmpfs-questdb-import | ||
| mountPath: /var/lib/questdb/import | ||
| - name: tmpfs-questdb-public | ||
| mountPath: /var/lib/questdb/public |
There was a problem hiding this comment.
These mounts are breaking a simple helm install questdb ./charts/questdb with the following logs:
questdb No arguments found in the configuration, start with default arguments
questdb Running as questdb user
questdb Log configuration loaded using factory defaults.
questdb 2025-10-03T18:34:29.594330Z A server-main QuestDB 9.0.3. Copyright (C) 2014-2025, all rights reserved.
questdb 2025-10-03T18:34:29.684387Z A server-main linux-x86-64 [AVX512,10, 64 bits, 12 processors]
questdb 2025-10-03T18:34:29.684447Z A server-main fs.file-max checked [limit=2147483584]
questdb 2025-10-03T18:34:29.684523Z A server-main vm.max_map_count checked [limit=1048576]
questdb 2025-10-03T18:34:29.688161Z I server-main Web Console is up to date
questdb 2025-10-03T18:34:29.693775Z A server-main Server config: /var/lib/questdb/conf/server.conf
questdb Server configuration file does not exist! /var/lib/questdb/conf/server.conf
I think if we remove readOnlyRootFilesystem in the security context, we can do away with these tmp volumes and mounts. I don't believe that this is an openshift requirement and would prefer to leave this extra security-scoping to the user instead of baking into the default chart.
| - name: tmpfs-tmp | ||
| emptyDir: {} | ||
| - name: tmpfs-questdb-import | ||
| emptyDir: {} | ||
| - name: tmpfs-questdb-public | ||
| emptyDir: {} |
| type: RuntimeDefault | ||
|
|
||
| securityContext: | ||
| readOnlyRootFilesystem: true |
There was a problem hiding this comment.
same as above, let's remove this and let the user add it as necessary
Hi @sklarsa , I am breaking the work into several PRs. Please watch for them. I am leaving this one open for now while the work is being split/migrated.
Further changes are dependent on 222/223/224, and so I will wait to submit further PRs until these are reviewed/resolved. Please reach out with comments/feedback. Thanks! |
|
thanks @wkbrd! I'm going through your changes now. Have you signed the CLA? We will need to do that before merging |
I have not signed it yet. Please proceed to review the PRs though. Thanks much! |
3 participants
This PR contains a few changes we worked. These changes enable the container to run more securely by-default.
Please reach out if you have questions.