Drop unneeded capabilities, make container read-only (#76)

* Run CoreDNS in Docker only with CAP_NET_BIND_SERVICE, drop all other (root) privileges. Run filesystem of container and config in read-only mode. * Run CoreDNS in Kubernetes only with CAP_NET_BIND_SERVICE, drop all other (root) privileges. Run filesystem of container and config in read-only mode.
2025-05-05 12:32:34 +02:00 · 2018-05-29 15:02:00 +02:00 · 2018-05-29 15:02:00 +02:00 · aba0245609
commit aba0245609
parent d1771c8cde
2 changed files with 15 additions and 1 deletions
--- a/kubernetes/coredns.yaml.sed
+++ b/kubernetes/coredns.yaml.sed
@ -94,6 +94,7 @@ spec:
        volumeMounts:
        - name: config-volume
          mountPath: /etc/coredns
+          readOnly: true
        ports:
        - containerPort: 53
          name: dns
@ -104,6 +105,14 @@ spec:
        - containerPort: 9153
          name: metrics
          protocol: TCP
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - all
+          readOnlyRootFilesystem: true
        livenessProbe:
          httpGet:
            path: /health