Improved security configuration (#63)

guerzon · Dec 17, 2023 · 67b5a64 · 67b5a64
1 parent e87e33f
commit 67b5a64
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 1 deletion.
diff --git a/charts/vaultwarden/Chart.yaml b/charts/vaultwarden/Chart.yaml
@@ -13,5 +13,5 @@ maintainers:
   - name: guerzon
     email: [email protected]
     url: https://github.com/guerzon
-version: 0.18.1
+version: 0.18.2
 kubeVersion: ">=1.12.0-0"
diff --git a/charts/vaultwarden/templates/_podSpec.tpl b/charts/vaultwarden/templates/_podSpec.tpl
@@ -11,6 +11,10 @@ affinity:
 tolerations:
 {{- toYaml . | nindent 8 }}
 {{- end }}
+{{- with .Values.podSecurityContext }}
+securityContext:
+  {{- toYaml . | nindent 8 }}
+{{- end }}
 {{- with .Values.initContainers }}
 initContainers:
 {{- toYaml . | nindent 8 }}

diff --git a/charts/vaultwarden/values.yaml b/charts/vaultwarden/values.yaml
@@ -253,7 +253,23 @@ startupProbe:
   ##
   failureThreshold: 10
 
+## Pod security options
+podSecurityContext: {}
+  # fsGroup: 1001
+  # supplementalGroups:
+  #   - 1001
+
+## Default security options to run vault as read only container without privilege escalation
 securityContext: {}
+  # allowPrivilegeEscalation: false
+  # privileged: false
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsGroup: 1001
+  # runAsUser: 1001
+  # capabilities:
+  #   drop:
+  #     - ALL
 
 ## Service configuration
 service: