Pat Riehecky
Pat Riehecky
Updated to try and use example output 2
This is a feature I'd like to see. It has the risk of being a bit wonky, but being able to pull directly from git, rather than an intermediary repo,...
While `readonlyrootfilesystem` is not on the restricted list, it might also be something to consider. The Trivy security scanner seems to like it....
Something like: ```yaml policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system podSelector: matchLabels: k8s-app: kube-dns ports: - port: 53 protocol: UDP - port: 53 protocol: TCP ```...
I'd still like to see this.
/remove-lifecycle rotten
The helm secrets are interesting, but I've seen issues where helm wants to store a secret over the 1mb limit causing all sorts of havoc (cf https://github.com/prometheus-community/helm-charts/pull/3267)
I've added links to the trivy tooling and resolved the conflicts. Just to verify, can this container run with any of the following security settings? ```yaml runAsNonRoot: true allowPrivilegeEscalation: false...
I'd prefer the defaults to have the most hardening that is safe to apply. I'm not super familiar with what the code actually needs... In prod I'm running with the...
I'm still interested in this.