Improve security, add emptydir mounts

2025-09-14 08:59:09 +02:00
parent 0ee92c7129
commit f2a61322f7
3 changed files with 60 additions and 26 deletions
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.1.1

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "4.3"
--- a/templates/daemonset.yaml
+++ b/templates/daemonset.yaml
@@ -26,51 +26,87 @@ spec:
      {{- end }}
      priorityClassName: {{ .Values.priorityClassName | quote }}
      serviceAccountName: {{ include "duino-miner.serviceAccountName" . }}
-      {{- with .Values.podSecurityContext }}
+
      securityContext:
+        {{- with .Values.podSecurityContext }}
        {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- else }}
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        {{- end }}
+
      containers:
        - name: {{ .Chart.Name }}
-          {{- with .Values.securityContext }}
-          securityContext:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
+
+          securityContext:
+            {{- with .Values.securityContext }}
+            {{- toYaml . | nindent 12 }}
+            {{- else }}
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            capabilities:
+              drop:
+                - ALL
+            {{- end }}
+
          env:
            {{- range $key, $value := .Values.env }}
            - name: {{ $key }}
              value: {{ $value | quote }}
            {{- end }}
+            - name: DUCO_DIR
+              value: {{ .Values.ducoDir | quote }}
+
+          volumeMounts:
+            - name: duco-data
+              mountPath: {{ .Values.ducoDir | quote }}
+              readOnly: false
+            - name: tmp
+              mountPath: /tmp
+              readOnly: false
+            {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+
          {{- with .Values.livenessProbe }}
          livenessProbe:
            {{- toYaml . | nindent 12 }}
          {{- end }}
+
          {{- with .Values.readinessProbe }}
          readinessProbe:
            {{- toYaml . | nindent 12 }}
          {{- end }}
+
          {{- with .Values.resources }}
          resources:
            {{- toYaml . | nindent 12 }}
          {{- end }}
-          {{- with .Values.volumeMounts }}
-          volumeMounts:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-      {{- with .Values.volumes }}
+
      volumes:
+        - name: duco-data
+          emptyDir: {}
+        - name: tmp
+          emptyDir: {}
+        {{- with .Values.volumes }}
        {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
+
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
+
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
+
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
--- a/values.yaml
+++ b/values.yaml
@@ -5,6 +5,13 @@ image:
  tag: "latest"                                                    # Image tag; if empty, defaults to Chart appVersion
 imagePullSecrets: []                                               # Optional secrets for private registries

+# Optional overrides for chart naming
+nameOverride: ""
+fullnameOverride: ""
+
+# Node selection and scheduling, deploys to all nodes by default
+nodeSelector: {}
+
 # Resource requests and limits for the miner container
 resources:
  limits:
@@ -19,7 +26,6 @@ priorityClassName: "duino-miner-lowest"

 # Environment variables for the Duino-Coin miner
 env:
-  DUCO_DIR: "/duino-coin/Duino-Coin PC Miner 4.3" # Directory where the miner config lives
  DUCO_USERNAME: "your_actual_username"           # Your Duino-Coin wallet or username
  DUCO_MINING_KEY: "your_actual_mining_key"       # Mining key
  DUCO_INTENSITY: "95"                            # Mining intensity (0–100)
@@ -34,9 +40,8 @@ env:
  DUCO_RASPI_CPU_IOT: "n"                         # Raspberry Pi CPU I/O tuning
  DUCO_DISCORD_RP: "n"                            # Discord Rich Presence

-# Optional overrides for chart naming
-nameOverride: ""
-fullnameOverride: ""
+# Directory where miner config is located is mounted as an EmptyDir
+ducoDir: "/duino-coin/Duino-Coin PC Miner 4.3"  

 # Service account settings
 serviceAccount:
@@ -73,10 +78,3 @@ readinessProbe:
      - "pidof python > /dev/null"
  initialDelaySeconds: 10   # Wait 10 seconds before first check to allow container startup
  periodSeconds: 30         # Check every 30 seconds
-
-# Volumes and mounts (if needed)
-volumes: []                  # Define extra volumes here
-volumeMounts: []             # Define mounts inside the container here
-
-# Node selection and scheduling
-nodeSelector: {}