From c754e4533183651ac7c72ea696a224fd22ea0636 Mon Sep 17 00:00:00 2001 From: Andi Skrgat Date: Mon, 27 Jan 2025 08:36:56 +0100 Subject: [PATCH 1/2] Update security context for standalone chart --- charts/memgraph/templates/statefulset.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/charts/memgraph/templates/statefulset.yaml b/charts/memgraph/templates/statefulset.yaml index d9aa1b3..0c6daf4 100644 --- a/charts/memgraph/templates/statefulset.yaml +++ b/charts/memgraph/templates/statefulset.yaml @@ -62,13 +62,11 @@ spec: chown -R memgraph:memgraph {{ .Values.persistentVolumeClaim.userMountPath }}; {{- end }} securityContext: - privileged: true - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true + runAsUser: 0 capabilities: - drop: ["all"] + drop: ["ALL"] add: ["CHOWN"] - runAsUser: 0 - runAsNonRoot: false {{- if .Values.sysctlInitContainer.enabled }} - name: init-sysctl image: busybox From 9bb174217a8129070692e714fd70c0cc04645f3a Mon Sep 17 00:00:00 2001 From: Andi Skrgat Date: Mon, 27 Jan 2025 09:13:47 +0100 Subject: [PATCH 2/2] Add security context for memgraph-container --- charts/memgraph/templates/statefulset.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/charts/memgraph/templates/statefulset.yaml b/charts/memgraph/templates/statefulset.yaml index 0c6daf4..fe46c08 100644 --- a/charts/memgraph/templates/statefulset.yaml +++ b/charts/memgraph/templates/statefulset.yaml @@ -126,6 +126,11 @@ spec: containerPort: {{ .Values.service.websocketPortMonitoring }} - name: http containerPort: {{ .Values.service.httpPortMonitoring }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + # Run by 'memgraph' user as specified in the Dockerfile livenessProbe: exec: command: