Harden deployment probes/fsGroup and align README runtime config

2026-03-07 22:18:51 +11:00
parent 9c4339f22d
commit 2b08720009
2 changed files with 24 additions and 4 deletions
--- a/README.md
+++ b/README.md
@@ -36,14 +36,14 @@ This container provides a stable, tool-rich environment for the AI agent to:
     - name: clawdbox
       image: clawdbox:latest
       ports:
-       - containerPort: 22
+       - containerPort: 2222
       volumeMounts:
       - mountPath: /data
         name: claw-data
     volumes:
     - name: claw-data
       persistentVolumeClaim:
-         claimName: claw-pvc
+         claimName: clawdbox-pvc
   ```

 ## Access
--- a/manifests/deployment.yaml
+++ b/manifests/deployment.yaml
@@ -18,6 +18,8 @@ spec:
        app: clawdbox
    spec:
      serviceAccountName: clawd-sa
+      securityContext:
+        fsGroup: 1000
      initContainers:
        - name: setup-ssh
          image: docker.io/alpine:latest
@@ -60,6 +62,25 @@ spec:
          ports:
            - containerPort: 2222
              name: ssh
+          startupProbe:
+            tcpSocket:
+              port: ssh
+            failureThreshold: 30
+            periodSeconds: 5
+          readinessProbe:
+            tcpSocket:
+              port: ssh
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 2
+            failureThreshold: 3
+          livenessProbe:
+            tcpSocket:
+              port: ssh
+            initialDelaySeconds: 15
+            periodSeconds: 20
+            timeoutSeconds: 2
+            failureThreshold: 3
          volumeMounts:
            - mountPath: /data
              name: data-volume
@@ -77,7 +98,6 @@ spec:
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
-            fsGroup: 1000
            allowPrivilegeEscalation: true
            capabilities:
              add: ["CAP_AUDIT_WRITE"]