kitchen: Run as non-root user

The *kitchen* server service does not need to run as root or have any access to writable storage.
2024-06-06 11:03:42 -05:00 · 2024-06-06 11:03:42 -05:00 · c3c9c0c555
parent b4d6dfeb07
commit c3c9c0c555
1 changed files with 6 additions and 0 deletions
--- a/kitchen/kitchen.yaml
+++ b/kitchen/kitchen.yaml
@ -42,11 +42,17 @@ spec:
        ports:
        - containerPort: 8000
          name: http
+        securityContext:
+          readOnlyRootFilesystem: true
        volumeMounts:
        - name: config
          mountPath: /kitchen.yaml
          subPath: config.yaml
          readOnly: true
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 17402
+        runAsGroup: 17402
      volumes:
      - name: config
        secret: