feat(infra): forte-drop in-cluster postgres + nightly backup (prod) #17
@@ -43,13 +43,10 @@ spec:
|
||||
containers:
|
||||
|
jorgen.stensrud marked this conversation as resolved
|
||||
- name: postgresql
|
||||
image: postgres:16-alpine
|
||||
|
jorgen.stensrud marked this conversation as resolved
gitea_admin
commented
Container image should use a pinned digest or exact tag instead of 'postgres:16-alpine' for better security and reproducibility. #ai-review-inline Container image should use a pinned digest or exact tag instead of 'postgres:16-alpine' for better security and reproducibility.
```suggestion
image: postgres:16.1-alpine
```
#ai-review-inline
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 999
|
||||
runAsGroup: 999
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: [ALL]
|
||||
# NOTE: no securityContext. The official postgres image's entrypoint must
|
||||
# start as root to chown a fresh /var/lib/postgresql/data, then drops to
|
||||
# the postgres user (uid 70 in alpine) via gosu. Forcing runAsNonRoot here
|
||||
# breaks initdb on a fresh PVC. Matches the vaultwarden-postgresql pattern.
|
||||
ports:
|
||||
- name: tcp-postgresql
|
||||
containerPort: 5432
|
||||
|
||||
Reference in New Issue
Block a user
Container is missing securityContext which should be set for security best practices.
#ai-review-inline