Skip to content

Security: document privileged NFS containers, set securityContext on rbac bootstrap job #129

Description

@dcmcand

Checklist item [B]:

Containers do not run as root (or have documented justification if they must)

Two gaps:

  1. templates/nfs-server.yaml and templates/nfs-client-installer.yaml run privileged: true. The reasoning exists in template comments and the whole mechanism is tracked for removal in feat: user home directories, shared group storage, and Linux identity (NSS wrapper) #29, but the checklist wants the justification in user-facing docs, not just template comments. A short note in the README security/limitations section satisfies it.
  2. The keycloak rbac bootstrap Job runs python:3.12-slim with no securityContext, so it runs as root. The script is stdlib-only and needs no privileges; set runAsNonRoot: true with a non-zero runAsUser, or document why not.

Acceptance criteria:

Part of #120.

Metadata

Metadata

Assignees

No one assigned

    Labels

    size: S1-3 days of dev/testing effort

    Type

    No type

    Fields

    Priority

    None yet

    Start date

    None yet

    Target date

    None yet

    Size

    None yet

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions