From 900f8f23aa78829d0b5c6c1abc9a7c87687dfeeb Mon Sep 17 00:00:00 2001 From: Conan Scott Date: Sat, 7 Mar 2026 22:18:51 +1100 Subject: [PATCH] Harden deployment probes/fsGroup and align README runtime config --- README.md | 6 +++--- manifests/deployment.yaml | 22 +++++++++++++++++++++- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index d869203..efc3f2d 100644 --- a/README.md +++ b/README.md @@ -36,15 +36,15 @@ This container provides a stable, tool-rich environment for the AI agent to: - name: clawdbox image: clawdbox:latest ports: - - containerPort: 22 + - containerPort: 2222 volumeMounts: - mountPath: /data name: claw-data volumes: - name: claw-data persistentVolumeClaim: - claimName: claw-pvc + claimName: clawdbox-pvc ``` ## Access -Connect via SSH using the `claw` user (passwordless sudo enabled). \ No newline at end of file +Connect via SSH using the `claw` user (passwordless sudo enabled). diff --git a/manifests/deployment.yaml b/manifests/deployment.yaml index 7a9107a..caaf332 100644 --- a/manifests/deployment.yaml +++ b/manifests/deployment.yaml @@ -18,6 +18,8 @@ spec: app: clawdbox spec: serviceAccountName: clawd-sa + securityContext: + fsGroup: 1000 initContainers: - name: setup-ssh image: docker.io/alpine:latest @@ -60,6 +62,25 @@ spec: ports: - containerPort: 2222 name: ssh + startupProbe: + tcpSocket: + port: ssh + failureThreshold: 30 + periodSeconds: 5 + readinessProbe: + tcpSocket: + port: ssh + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 2 + failureThreshold: 3 + livenessProbe: + tcpSocket: + port: ssh + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 2 + failureThreshold: 3 volumeMounts: - mountPath: /data name: data-volume @@ -77,7 +98,6 @@ spec: securityContext: runAsUser: 1000 runAsGroup: 1000 - fsGroup: 1000 allowPrivilegeEscalation: true capabilities: add: ["CAP_AUDIT_WRITE"]