feat(chart): Set allowPrivilegeEscalation: false

The container ports needed to be changed to 8080 and 8443 for this purpose. Service ports remain unchanged. The capability NET_BIND_SERVICE is still needed. Otherwise the nginx process can not even be started due to the file capability on `/usr/sbin/nginx` in the image.
codecentric · Aug 15, 2024 · 29ec930 · 29ec930
1 parent f1843a9
commit 29ec930
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -10,10 +10,10 @@ config:
       endpoints: {}
     http:
       enabled: true
-      port: 80
+      port: 8080
     https:
       enabled: false
-      port: 443
+      port: 8443
       ssl_certificate: /var/run/secrets/tls/tls.crt
       ssl_certificate_key: /var/run/secrets/tls/tls.key
 
@@ -57,6 +57,7 @@ pod:
           - NET_BIND_SERVICE
       readOnlyRootFilesystem: true
       runAsNonRoot: true
+      allowPrivilegeEscalation: false
     livenessProbe:
       httpGet:
         path: /health/liveness