Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

fix(infra): pin minio/mc tags + add postgres securityContext + harden bootstrap script
All checks were successful
AI Code Review / ai-review (pull_request) Successful in 15s
Details

Browse Source 
Address ai-review feedback on PR #17:
- Pin quay.io/minio/minio and mc to specific RELEASE tags (Renovate
  will bump). 'latest' is unpredictable in GitOps.
- Bootstrap script: set -e -> set -euo pipefail.
- Postgres container: runAsNonRoot, uid/gid 999, drop ALL caps,
  no privilege escalation. Matches PSS restricted profile.
This commit is contained in:
Sten
2026-05-28 16:05:48 +02:00
parent 416615a9e0
commit 69848e42f0
2 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
infra/overlays/upc-dev/forte-drop-postgresql/resources/postgresql.yaml
View File

@@ -43,6 +43,13 @@ spec:
containers:
- name: postgresql
image: postgres:16-alpine
securityContext:
runAsNonRoot: true
runAsUser: 999
runAsGroup: 999
allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
ports:
- name: tcp-postgresql
containerPort: 5432