fix: security

opsta · Oct 31, 2024 · ec49ec4 · ec49ec4
1 parent 6d33226
commit ec49ec4
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 4 deletions.
diff --git a/.github/workflows/nonprd.yaml b/.github/workflows/nonprd.yaml
@@ -106,10 +106,10 @@ jobs:
           tags: ${{ needs.setup.outputs.tags }}
           labels: ${{ needs.setup.outputs.labels }}
           # SECURITY VULNERABILITY
-          cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln,mode=max
-          cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln
-          # cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache,mode=max
-          # cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache
+          # cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln,mode=max
+          # cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln
+          cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache,mode=max
+          cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache
         env:
           DOCKER_BUILD_RECORD_UPLOAD: false
 

diff --git a/iac/helm-values/opsta-line-bot-dev.yaml b/iac/helm-values/opsta-line-bot-dev.yaml
@@ -38,3 +38,14 @@ volumes:
     path: /tmp
     size: 500Mi
     storageClass: nfs
+securityContext:
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  runAsNonRoot: true
+  runAsUser: 65532
+  runAsGroup: 65532
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL
diff --git a/iac/helm-values/opsta-line-bot-prd.yaml b/iac/helm-values/opsta-line-bot-prd.yaml
@@ -38,3 +38,14 @@ volumes:
     path: /tmp
     size: 500Mi
     storageClass: nfs
+securityContext:
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  runAsNonRoot: true
+  runAsUser: 65532
+  runAsGroup: 65532
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL