Skip to content

Commit

Permalink
Security redesign to run as non-root and restrict permissions (#39)
Browse files Browse the repository at this point in the history 
- Restricted permissions on objects to strictly required verbs
- Modified application to run as non-root and on a non-standard http port (cannot use <1024 port due to root permission requirements)
- Updated chart to api version 2 (Helm 3)
- Cert-manager extension is no longer optional (does not interfere with operations if cert-manager is not installed)
- Updated README
- Fixed referenced version in static manifests
  • Loading branch information
@winromulus
winromulus authored May 2, 2020
1 parent 3950809 commit 2a24c28
Show file tree
Hide file tree
Showing 26 changed files with 352 additions and 474 deletions.
4 changes: 2 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ Reflector can be deployed either manually or using Helm (recommended).

### Prerequisites
- Kubernetes 1.14+
- Helm 3 (if deployed using Helm)

#### Deployment using Helm

Expand All @@ -47,7 +48,6 @@ You can customize the values of the helm deployment by using the following Value
| `image.repository` | Container image repository | `emberstack/kubernetes-reflector` |
| `image.tag` | Container image tag | `Same as chart version` |
| `image.pullPolicy` | Container image pull policy | `IfNotPresent` |
| `extensions.certManager.enabled` | `cert-manager` addon | `true` |
| `configuration.logging.minimumLevel` | Logging minimum level | `Information` |
| `rbac.enabled` | Create and use RBAC resources | `true` |
| `serviceAccount.create` | Create ServiceAccount | `true` |
Expand Down Expand Up @@ -152,7 +152,7 @@ $ kubectl apply -f https://github.com/emberstack/kubernetes-reflector/releases/l

- - - -

## (Optional) `cert-manager` extension
## `cert-manager` extension

> Supported `cert-manager` version: `0.11.0` or higher.

Expand Down
Loading

0 comments on commit 2a24c28

Please sign in to comment.