Skip to content

fix(k8s): harden securityContext on static manifests (KSV-0014/KSV-0118)#67

Open
PenguinzTech wants to merge 1 commit into
release/v0.1.xfrom
fix/k8s-securitycontext
Open

fix(k8s): harden securityContext on static manifests (KSV-0014/KSV-0118)#67
PenguinzTech wants to merge 1 commit into
release/v0.1.xfrom
fix/k8s-securitycontext

Conversation

@PenguinzTech

@PenguinzTech PenguinzTech commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Sets readOnlyRootFilesystem: true, drops ALL capabilities, adds seccompProfile RuntimeDefault (pod + container level) + writable /tmp emptyDir on flask-backend, go-backend, webui deployments in both kustomize/base and k8s/manifests. Helm charts were already compliant. Closes trivy KSV-0014 + KSV-0118 HIGH findings.

🤖 Generated with Claude Code

Summary by Sourcery

Harden Kubernetes security settings for backend and web UI deployments in static manifests to align with recommended defaults and resolve security findings.

Enhancements:

  • Configure pod-level securityContext for flask-backend, go-backend, and webui deployments to run as non-root with a dedicated user and RuntimeDefault seccomp profile.
  • Tighten container-level securityContext by enabling read-only root filesystems, dropping all Linux capabilities, and applying RuntimeDefault seccomp profiles.
  • Add writable /tmp emptyDir volumes and mounts to deployments that require temporary filesystem access in both kustomize base and raw k8s manifests.

…tatic manifests (trivy KSV-0014/KSV-0118)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@sourcery-ai

sourcery-ai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Reviewer's Guide

This PR hardens the Kubernetes security context for the flask-backend, go-backend, and webui deployments in both kustomize/base and k8s/manifests by enforcing non-root execution, RuntimeDefault seccomp, read-only root filesystems, dropping all capabilities, and providing a writable /tmp via emptyDir.

File-Level Changes

Change Details Files
Harden pod-level security context for all backend and webui deployments.
  • Add pod-level securityContext with runAsNonRoot: true and runAsUser: 1000
  • Configure pod-level seccompProfile type: RuntimeDefault
k8s/kustomize/base/flask-backend/deployment.yaml
k8s/kustomize/base/go-backend/deployment.yaml
k8s/kustomize/base/webui/deployment.yaml
k8s/manifests/flask-backend/deployment.yaml
k8s/manifests/go-backend/deployment.yaml
k8s/manifests/webui/deployment.yaml
Strengthen container-level security settings to comply with Trivy KSV-0014 and KSV-0118.
  • Set readOnlyRootFilesystem: true on containers
  • Ensure allowPrivilegeEscalation: false is retained
  • Drop all Linux capabilities via capabilities: drop: [ALL]
  • Configure container-level seccompProfile type: RuntimeDefault
k8s/kustomize/base/flask-backend/deployment.yaml
k8s/kustomize/base/go-backend/deployment.yaml
k8s/kustomize/base/webui/deployment.yaml
k8s/manifests/flask-backend/deployment.yaml
k8s/manifests/go-backend/deployment.yaml
k8s/manifests/webui/deployment.yaml
Provide writable /tmp storage for applications while keeping root filesystem read-only.
  • Add /tmp volumeMount on containers using a named tmp volume
  • Define a pod-level tmp volume backed by emptyDir: {}
k8s/kustomize/base/flask-backend/deployment.yaml
k8s/kustomize/base/go-backend/deployment.yaml
k8s/kustomize/base/webui/deployment.yaml
k8s/manifests/flask-backend/deployment.yaml
k8s/manifests/go-backend/deployment.yaml
k8s/manifests/webui/deployment.yaml

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue

Prompt for AI Agents
Please address the comments from this code review:

## Individual Comments

### Comment 1
<location path="k8s/kustomize/base/flask-backend/deployment.yaml" line_range="141-148" />
<code_context>
           runAsUser: 1000
           allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop: [ALL]
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - name: tmp
+          mountPath: /tmp
+      volumes:
+      - name: tmp
</code_context>
<issue_to_address>
**question (bug_risk):** Double-check all write paths given the new readOnlyRootFilesystem + single /tmp mount setup.

With `readOnlyRootFilesystem: true`, only mounted volumes are writable, and this pod currently exposes just `/tmp` via `emptyDir`. If the Flask app or any sidecar writes to other locations (e.g. `/var/tmp`, home directories, or root‑FS log paths), this will now fail at runtime. Please verify that all expected write locations are covered, or add additional writable mounts as needed.
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment on lines +141 to +148
readOnlyRootFilesystem: true
capabilities:
drop: [ALL]
seccompProfile:
type: RuntimeDefault
volumeMounts:
- name: tmp
mountPath: /tmp

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question (bug_risk): Double-check all write paths given the new readOnlyRootFilesystem + single /tmp mount setup.

With readOnlyRootFilesystem: true, only mounted volumes are writable, and this pod currently exposes just /tmp via emptyDir. If the Flask app or any sidecar writes to other locations (e.g. /var/tmp, home directories, or root‑FS log paths), this will now fail at runtime. Please verify that all expected write locations are covered, or add additional writable mounts as needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant