Drop unneeded capabilities, make container read-only (#76)

* Run CoreDNS in Docker only with CAP_NET_BIND_SERVICE, drop all other (root) privileges. Run filesystem of container and config in read-only mode. * Run CoreDNS in Kubernetes only with CAP_NET_BIND_SERVICE, drop all other (root) privileges. Run filesystem of container and config in read-only mode.
2025-05-05 04:28:38 +02:00 · 2018-05-29 15:02:00 +02:00 · 2018-05-29 15:02:00 +02:00 · aba0245609
commit aba0245609
parent d1771c8cde
2 changed files with 15 additions and 1 deletions
--- a/docker/dns.yml
+++ b/docker/dns.yml
@ -9,7 +9,12 @@ services:
      - "53:53/tcp"
      - "9153:9153/tcp"
    volumes:
-      - coredns:/data
+      - coredns:/data:ro
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_BIND_SERVICE
+    read_only: true
    deploy:
      mode: global
      placement: