Drop unneeded capabilities, make container read-only (#76)

* Run CoreDNS in Docker only with CAP_NET_BIND_SERVICE, drop all other (root) privileges. Run filesystem of container and config in read-only mode. * Run CoreDNS in Kubernetes only with CAP_NET_BIND_SERVICE, drop all other (root) privileges. Run filesystem of container and config in read-only mode.
2025-03-14 14:16:16 +01:00 · 2018-05-29 15:02:00 +02:00 · 2018-05-29 15:02:00 +02:00 · aba0245609
commit aba0245609
parent d1771c8cde
2 changed files with 15 additions and 1 deletions
--- a/docker/dns.yml
+++ b/docker/dns.yml
@ -9,7 +9,12 @@ services:
      - "53:53/tcp"
      - "9153:9153/tcp"
    volumes:
-      - coredns:/data
+      - coredns:/data:ro
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_BIND_SERVICE
+    read_only: true
    deploy:
      mode: global
      placement:
--- a/kubernetes/coredns.yaml.sed
+++ b/kubernetes/coredns.yaml.sed
@ -94,6 +94,7 @@ spec:
        volumeMounts:
        - name: config-volume
          mountPath: /etc/coredns
+          readOnly: true
        ports:
        - containerPort: 53
          name: dns
@ -104,6 +105,14 @@ spec:
        - containerPort: 9153
          name: metrics
          protocol: TCP
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - all
+          readOnlyRootFilesystem: true
        livenessProbe:
          httpGet:
            path: /health