[Suggestion] - Should Bitbucket Smart Mirror have a livenessProbe?

[JSRAF]

Suggestion

I was wondering why the Helm chart does not have a option for setting up a livenessProbe for the Bitbucket Smart Mirror. There is a open port for the readinessProbe already there. Is there no need for a livenessProbe or should this be added in the future?

My other concern is about the Security Context of the Smart Mirror since it runs as the root user for the ability to change the volume permissions. Also you can't change the allowPrivilegeEscalation value either on the Values file unfortunately. I think this should be configured more securely if possible.

Product

Bitbucket

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[jjeongatl]

Hi @JSRAF thanks for suggestion. Could you elaborate more on your suggestions. It would help us prioritising this if you could provide good use cases(PRs, examples etc...).

[bianchi2]

Liveness probe has already made it to Jira. We're planning to add them to all charts.

As to the securityContext, it should be fully configurable.

[JSRAF]

So the initContainer is supposed to run as root and the main container would work if I applied the following securityContext settings to it?

securityContext:
  runAsUser: 2003
  runAsGroup: 2003
  runAsNonRoot: true
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop:
      - ALL

[bianchi2]

Running init container as root is sometimes required to fix permissions for shared home, however, that may not be required in every case. Moreover, once the permissions are fixed you may disable it and bitbucket should be able to write to shared home.

As to the main container, even though it's starting as root, all the processes are started as bitbucket user. You can definitely set a custom securityContext in values.yaml and run it as 2003 user.