fixup! chore(helm): enhance security context and volume handling

2026-06-14 00:41:34 +00:00 · 2026-01-03 01:10:49 +00:00
parent 6afa55b5f5
commit f03a288326
3 changed files with 15 additions and 10 deletions
@@ -37,10 +37,8 @@ spec:
          mkdir -p /var/cache/gohoarder /var/lib/gohoarder/metadata /tmp/gohoarder
          {{- if .Values.security.scanners.trivy.enabled }}
          mkdir -p {{ .Values.security.scanners.trivy.cacheDb }}
-          chown -R 1000:1000 {{ .Values.security.scanners.trivy.cacheDb }}
          {{- end }}
-          chown -R 1000:1000 /var/cache/gohoarder /var/lib/gohoarder /tmp/gohoarder
-          chmod 750 /var/cache/gohoarder /var/lib/gohoarder
+          chmod 750 /var/cache/gohoarder /var/lib/gohoarder 2>/dev/null || true
        volumeMounts:
        - name: storage
          mountPath: /var/cache/gohoarder
@@ -53,7 +51,11 @@ spec:
        - name: tmp
          mountPath: /tmp/gohoarder
        securityContext:
-          runAsUser: 0
+          runAsUser: 1000
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
      containers:
      - name: scanner
        securityContext:
@@ -36,8 +36,7 @@ spec:
        args:
        - |
          mkdir -p /var/cache/gohoarder /var/lib/gohoarder/metadata /tmp/gohoarder
-          chown -R 1000:1000 /var/cache/gohoarder /var/lib/gohoarder /tmp/gohoarder
-          chmod 750 /var/cache/gohoarder /var/lib/gohoarder
+          chmod 750 /var/cache/gohoarder /var/lib/gohoarder 2>/dev/null || true
        volumeMounts:
        - name: storage
          mountPath: /var/cache/gohoarder
@@ -46,7 +45,11 @@ spec:
        - name: tmp
          mountPath: /tmp/gohoarder
        securityContext:
-          runAsUser: 0
+          runAsUser: 1000
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
      containers:
      - name: server
        securityContext: