From f2a61322f74e8983ec3e107cdcb0e25cf8ae1ef3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomislav=20Kopi=C4=87?= Date: Sun, 14 Sep 2025 08:59:09 +0200 Subject: [PATCH] Improve security, add emptydir mounts --- Chart.yaml | 4 +-- templates/daemonset.yaml | 60 ++++++++++++++++++++++++++++++++-------- values.yaml | 22 +++++++-------- 3 files changed, 60 insertions(+), 26 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 3041a20..0a707a4 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 0.1.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "1.16.0" +appVersion: "4.3" diff --git a/templates/daemonset.yaml b/templates/daemonset.yaml index 63619fc..4ab7dc9 100644 --- a/templates/daemonset.yaml +++ b/templates/daemonset.yaml @@ -26,51 +26,87 @@ spec: {{- end }} priorityClassName: {{ .Values.priorityClassName | quote }} serviceAccountName: {{ include "duino-miner.serviceAccountName" . }} - {{- with .Values.podSecurityContext }} + securityContext: + {{- with .Values.podSecurityContext }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- else }} + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + {{- end }} + containers: - name: {{ .Chart.Name }} - {{- with .Values.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + + securityContext: + {{- with .Values.securityContext }} + {{- toYaml . | nindent 12 }} + {{- else }} + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + capabilities: + drop: + - ALL + {{- end }} + env: {{- range $key, $value := .Values.env }} - name: {{ $key }} value: {{ $value | quote }} {{- end }} + - name: DUCO_DIR + value: {{ .Values.ducoDir | quote }} + + volumeMounts: + - name: duco-data + mountPath: {{ .Values.ducoDir | quote }} + readOnly: false + - name: tmp + mountPath: /tmp + readOnly: false + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.livenessProbe }} livenessProbe: {{- toYaml . | nindent 12 }} {{- end }} + {{- with .Values.readinessProbe }} readinessProbe: {{- toYaml . | nindent 12 }} {{- end }} + {{- with .Values.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.volumes }} + volumes: + - name: duco-data + emptyDir: {} + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} + {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} diff --git a/values.yaml b/values.yaml index 1d302a9..03405b6 100644 --- a/values.yaml +++ b/values.yaml @@ -5,6 +5,13 @@ image: tag: "latest" # Image tag; if empty, defaults to Chart appVersion imagePullSecrets: [] # Optional secrets for private registries +# Optional overrides for chart naming +nameOverride: "" +fullnameOverride: "" + +# Node selection and scheduling, deploys to all nodes by default +nodeSelector: {} + # Resource requests and limits for the miner container resources: limits: @@ -19,7 +26,6 @@ priorityClassName: "duino-miner-lowest" # Environment variables for the Duino-Coin miner env: - DUCO_DIR: "/duino-coin/Duino-Coin PC Miner 4.3" # Directory where the miner config lives DUCO_USERNAME: "your_actual_username" # Your Duino-Coin wallet or username DUCO_MINING_KEY: "your_actual_mining_key" # Mining key DUCO_INTENSITY: "95" # Mining intensity (0–100) @@ -34,9 +40,8 @@ env: DUCO_RASPI_CPU_IOT: "n" # Raspberry Pi CPU I/O tuning DUCO_DISCORD_RP: "n" # Discord Rich Presence -# Optional overrides for chart naming -nameOverride: "" -fullnameOverride: "" +# Directory where miner config is located is mounted as an EmptyDir +ducoDir: "/duino-coin/Duino-Coin PC Miner 4.3" # Service account settings serviceAccount: @@ -72,11 +77,4 @@ readinessProbe: # Same check as liveness: ensures a Python process is running before marking the pod ready - "pidof python > /dev/null" initialDelaySeconds: 10 # Wait 10 seconds before first check to allow container startup - periodSeconds: 30 # Check every 30 seconds - -# Volumes and mounts (if needed) -volumes: [] # Define extra volumes here -volumeMounts: [] # Define mounts inside the container here - -# Node selection and scheduling -nodeSelector: {} + periodSeconds: 30 # Check every 30 seconds \ No newline at end of file