From b353058b4731b59f2172b33806e4999a9680bff5 Mon Sep 17 00:00:00 2001 From: Andrew Stoltz <1578013+astoltz@users.noreply.github.com> Date: Wed, 17 Jun 2026 09:41:56 -0500 Subject: [PATCH] gx10: deploy hardened MessageBoard web image --- .../deployment-messageboard-web.json | 65 ++++++++++++++----- 1 file changed, 48 insertions(+), 17 deletions(-) diff --git a/apps-gx10/fc-messageboard/deployment-messageboard-web.json b/apps-gx10/fc-messageboard/deployment-messageboard-web.json index 4485f80..31d8743 100644 --- a/apps-gx10/fc-messageboard/deployment-messageboard-web.json +++ b/apps-gx10/fc-messageboard/deployment-messageboard-web.json @@ -49,7 +49,7 @@ } } ], - "image": "localhost/fc-messageboard-web:gx10-v1", + "image": "localhost/fc-messageboard-web:v20260617-sec5-messageboard-e5f77ef", "imagePullPolicy": "Never", "livenessProbe": { "failureThreshold": 3, @@ -91,27 +91,58 @@ }, "terminationMessagePath": "/dev/termination-log", "terminationMessagePolicy": "File", - "volumeMounts": [ - { - "mountPath": "/data", - "name": "data" - } - ] - } - ], + "volumeMounts": [ + { + "mountPath": "/data", + "name": "data" + }, + { + "mountPath": "/app/logs", + "name": "logs" + }, + { + "mountPath": "/tmp", + "name": "tmp" + } + ], + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + } + } + ], "dnsPolicy": "ClusterFirst", "restartPolicy": "Always", "schedulerName": "default-scheduler", - "securityContext": {}, + "securityContext": { + "fsGroup": 1654, + "fsGroupChangePolicy": "OnRootMismatch", + "runAsGroup": 1654, + "runAsNonRoot": true, + "runAsUser": 1654 + }, "terminationGracePeriodSeconds": 30, "volumes": [ - { - "name": "data", - "persistentVolumeClaim": { - "claimName": "messageboard-web-data" - } - } - ] + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "messageboard-web-data" + } + }, + { + "name": "logs", + "emptyDir": {} + }, + { + "name": "tmp", + "emptyDir": {} + } + ] } } }