helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon hivemq

Configure securityContext by default for implementing Pod Security Standard

Open avthart opened this issue 1 year ago • 3 comments
trafficstars

In compliant Kubernetes clusters, workloads should run as secure as possible. Therefore, it would be great if hivemq and the operator can be compliant with the Pod Security Standard restricted profile (if possible).

See https://kubernetes.io/docs/concepts/security/pod-security-standards/

avthart avatar Sep 05 '24 10:09 avthart

Currently it is possible to set the podSecurityContext but it is not possible to set the containerSecurityContext (e.g. drop all capabilities, allowPrivilegeEscalation to false).

avthart avatar Sep 05 '24 12:09 avthart

Thanks @avthart - Indeed, that's a valid point to improve the Pod Security Standard of our platform. That's something we are not directly supporting via our Helm charts. I will work on this to provide support for the Container Security Context as well.

In the meantime, if you need that, you can always override the whole StatefulSet as mentioned in our HiveMQ documentation. Bear in mind, that doing so, you need to align the different service configuration you also may have in your custom chart values with the ones you define in your override StatefulSet.

afalhambra-hivemq avatar Sep 05 '24 14:09 afalhambra-hivemq

Thanks. Will look into this!

avthart avatar Sep 05 '24 14:09 avthart

Fixed by https://github.com/hivemq/helm-charts/pull/361

afalhambra-hivemq avatar Oct 17 '24 14:10 afalhambra-hivemq