Improve security, add emptydir mounts

2025-09-14 08:59:09 +02:00
parent 0ee92c7129
commit f2a61322f7
3 changed files with 60 additions and 26 deletions
--- a/templates/daemonset.yaml
+++ b/templates/daemonset.yaml
@@ -26,51 +26,87 @@ spec:
      {{- end }}
      priorityClassName: {{ .Values.priorityClassName | quote }}
      serviceAccountName: {{ include "duino-miner.serviceAccountName" . }}
-      {{- with .Values.podSecurityContext }}
+
      securityContext:
+        {{- with .Values.podSecurityContext }}
        {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- else }}
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        {{- end }}
+
      containers:
        - name: {{ .Chart.Name }}
-          {{- with .Values.securityContext }}
-          securityContext:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
+
+          securityContext:
+            {{- with .Values.securityContext }}
+            {{- toYaml . | nindent 12 }}
+            {{- else }}
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            capabilities:
+              drop:
+                - ALL
+            {{- end }}
+
          env:
            {{- range $key, $value := .Values.env }}
            - name: {{ $key }}
              value: {{ $value | quote }}
            {{- end }}
+            - name: DUCO_DIR
+              value: {{ .Values.ducoDir | quote }}
+
+          volumeMounts:
+            - name: duco-data
+              mountPath: {{ .Values.ducoDir | quote }}
+              readOnly: false
+            - name: tmp
+              mountPath: /tmp
+              readOnly: false
+            {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+
          {{- with .Values.livenessProbe }}
          livenessProbe:
            {{- toYaml . | nindent 12 }}
          {{- end }}
+
          {{- with .Values.readinessProbe }}
          readinessProbe:
            {{- toYaml . | nindent 12 }}
          {{- end }}
+
          {{- with .Values.resources }}
          resources:
            {{- toYaml . | nindent 12 }}
          {{- end }}
-          {{- with .Values.volumeMounts }}
-          volumeMounts:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-      {{- with .Values.volumes }}
+
      volumes:
+        - name: duco-data
+          emptyDir: {}
+        - name: tmp
+          emptyDir: {}
+        {{- with .Values.volumes }}
        {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
+
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
+
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
+
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}