packages/coredns-deployment
1
0
Fork 0
mirror of https://github.com/notherealmarco/coredns-deployment.git synced 2025-03-14 14:16:16 +01:00
Code Issues Projects Releases Packages 1 Wiki Activity Actions

Drop unneeded capabilities, make container read-only (#76)

Browse source 
* Run CoreDNS in Docker only with CAP_NET_BIND_SERVICE, drop all other (root) privileges. Run filesystem of container and config in read-only mode.

* Run CoreDNS in Kubernetes only with CAP_NET_BIND_SERVICE, drop all other (root) privileges. Run filesystem of container and config in read-only mode.
This commit is contained in:
Nico Berlee 2018-05-29 15:02:00 +02:00 committed by Miek Gieben
parent d1771c8cde
commit aba0245609
2 changed files with 15 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
docker/dns.yml
View file

@ -9,7 +9,12 @@ services:
- "53:53/tcp" - "53:53/tcp"
- "9153:9153/tcp" - "9153:9153/tcp"
volumes: volumes:
- coredns:/data - coredns:/data:ro
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
read_only: true
deploy: deploy:
mode: global mode: global
placement: placement:

9
kubernetes/coredns.yaml.sed
View file

@ -94,6 +94,7 @@ spec:
volumeMounts: volumeMounts:
- name: config-volume - name: config-volume
mountPath: /etc/coredns mountPath: /etc/coredns
readOnly: true
ports: ports:
- containerPort: 53 - containerPort: 53
name: dns name: dns
@ -104,6 +105,14 @@ spec:
- containerPort: 9153 - containerPort: 9153
name: metrics name: metrics
protocol: TCP protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- all
readOnlyRootFilesystem: true
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /health path: /health