Harden deployment probes/fsGroup and align README runtime config
This commit is contained in:
@@ -18,6 +18,8 @@ spec:
|
||||
app: clawdbox
|
||||
spec:
|
||||
serviceAccountName: clawd-sa
|
||||
securityContext:
|
||||
fsGroup: 1000
|
||||
initContainers:
|
||||
- name: setup-ssh
|
||||
image: docker.io/alpine:latest
|
||||
@@ -60,6 +62,25 @@ spec:
|
||||
ports:
|
||||
- containerPort: 2222
|
||||
name: ssh
|
||||
startupProbe:
|
||||
tcpSocket:
|
||||
port: ssh
|
||||
failureThreshold: 30
|
||||
periodSeconds: 5
|
||||
readinessProbe:
|
||||
tcpSocket:
|
||||
port: ssh
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 2
|
||||
failureThreshold: 3
|
||||
livenessProbe:
|
||||
tcpSocket:
|
||||
port: ssh
|
||||
initialDelaySeconds: 15
|
||||
periodSeconds: 20
|
||||
timeoutSeconds: 2
|
||||
failureThreshold: 3
|
||||
volumeMounts:
|
||||
- mountPath: /data
|
||||
name: data-volume
|
||||
@@ -77,7 +98,6 @@ spec:
|
||||
securityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
add: ["CAP_AUDIT_WRITE"]
|
||||
|
||||
Reference in New Issue
Block a user