fix(k8s): harden securityContext on static manifests (KSV-0014/KSV-0118)#67
fix(k8s): harden securityContext on static manifests (KSV-0014/KSV-0118)#67PenguinzTech wants to merge 1 commit into
Conversation
…tatic manifests (trivy KSV-0014/KSV-0118) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Reviewer's GuideThis PR hardens the Kubernetes security context for the flask-backend, go-backend, and webui deployments in both kustomize/base and k8s/manifests by enforcing non-root execution, RuntimeDefault seccomp, read-only root filesystems, dropping all capabilities, and providing a writable /tmp via emptyDir. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - I've found 1 issue
Prompt for AI Agents
Please address the comments from this code review:
## Individual Comments
### Comment 1
<location path="k8s/kustomize/base/flask-backend/deployment.yaml" line_range="141-148" />
<code_context>
runAsUser: 1000
allowPrivilegeEscalation: false
- readOnlyRootFilesystem: false
+ readOnlyRootFilesystem: true
+ capabilities:
+ drop: [ALL]
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - name: tmp
+ mountPath: /tmp
+ volumes:
+ - name: tmp
</code_context>
<issue_to_address>
**question (bug_risk):** Double-check all write paths given the new readOnlyRootFilesystem + single /tmp mount setup.
With `readOnlyRootFilesystem: true`, only mounted volumes are writable, and this pod currently exposes just `/tmp` via `emptyDir`. If the Flask app or any sidecar writes to other locations (e.g. `/var/tmp`, home directories, or root‑FS log paths), this will now fail at runtime. Please verify that all expected write locations are covered, or add additional writable mounts as needed.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| readOnlyRootFilesystem: true | ||
| capabilities: | ||
| drop: [ALL] | ||
| seccompProfile: | ||
| type: RuntimeDefault | ||
| volumeMounts: | ||
| - name: tmp | ||
| mountPath: /tmp |
There was a problem hiding this comment.
question (bug_risk): Double-check all write paths given the new readOnlyRootFilesystem + single /tmp mount setup.
With readOnlyRootFilesystem: true, only mounted volumes are writable, and this pod currently exposes just /tmp via emptyDir. If the Flask app or any sidecar writes to other locations (e.g. /var/tmp, home directories, or root‑FS log paths), this will now fail at runtime. Please verify that all expected write locations are covered, or add additional writable mounts as needed.
Sets readOnlyRootFilesystem: true, drops ALL capabilities, adds seccompProfile RuntimeDefault (pod + container level) + writable /tmp emptyDir on flask-backend, go-backend, webui deployments in both kustomize/base and k8s/manifests. Helm charts were already compliant. Closes trivy KSV-0014 + KSV-0118 HIGH findings.
🤖 Generated with Claude Code
Summary by Sourcery
Harden Kubernetes security settings for backend and web UI deployments in static manifests to align with recommended defaults and resolve security findings.
Enhancements: