feat(infra): forte-drop in-cluster postgres + nightly backup (prod) #17
@@ -43,13 +43,10 @@ spec:
|
|||||||
containers:
|
containers:
|
||||||
|
jorgen.stensrud marked this conversation as resolved
|
|||||||
- name: postgresql
|
- name: postgresql
|
||||||
image: postgres:16-alpine
|
image: postgres:16-alpine
|
||||||
|
jorgen.stensrud marked this conversation as resolved
gitea_admin
commented
Container image should use a pinned digest or exact tag instead of 'postgres:16-alpine' for better security and reproducibility. #ai-review-inline Container image should use a pinned digest or exact tag instead of 'postgres:16-alpine' for better security and reproducibility.
```suggestion
image: postgres:16.1-alpine
```
#ai-review-inline
|
|||||||
securityContext:
|
# NOTE: no securityContext. The official postgres image's entrypoint must
|
||||||
runAsNonRoot: true
|
# start as root to chown a fresh /var/lib/postgresql/data, then drops to
|
||||||
runAsUser: 999
|
# the postgres user (uid 70 in alpine) via gosu. Forcing runAsNonRoot here
|
||||||
runAsGroup: 999
|
# breaks initdb on a fresh PVC. Matches the vaultwarden-postgresql pattern.
|
||||||
allowPrivilegeEscalation: false
|
|
||||||
capabilities:
|
|
||||||
drop: [ALL]
|
|
||||||
ports:
|
ports:
|
||||||
- name: tcp-postgresql
|
- name: tcp-postgresql
|
||||||
containerPort: 5432
|
containerPort: 5432
|
||||||
|
|||||||
Reference in New Issue
Block a user
Container is missing securityContext which should be set for security best practices.
#ai-review-inline