Skip to content

Commit 2a24c28

Browse files
winromuluswinromulus
authored
Security redesign to run as non-root and restrict permissions (#39)
- Restricted permissions on objects to strictly required verbs - Modified application to run as non-root and on a non-standard http port (cannot use <1024 port due to root permission requirements) - Updated chart to api version 2 (Helm 3) - Cert-manager extension is no longer optional (does not interfere with operations if cert-manager is not installed) - Updated README - Fixed referenced version in static manifests
1 parent 3950809 commit 2a24c28

26 files changed

+352
-474
lines changed

README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ Reflector can be deployed either manually or using Helm (recommended).
2828

2929
### Prerequisites
3030
- Kubernetes 1.14+
31+
- Helm 3 (if deployed using Helm)
3132

3233
#### Deployment using Helm
3334

@@ -47,7 +48,6 @@ You can customize the values of the helm deployment by using the following Value
4748
| `image.repository` | Container image repository | `emberstack/kubernetes-reflector` |
4849
| `image.tag` | Container image tag | `Same as chart version` |
4950
| `image.pullPolicy` | Container image pull policy | `IfNotPresent` |
50-
| `extensions.certManager.enabled` | `cert-manager` addon | `true` |
5151
| `configuration.logging.minimumLevel` | Logging minimum level | `Information` |
5252
| `rbac.enabled` | Create and use RBAC resources | `true` |
5353
| `serviceAccount.create` | Create ServiceAccount | `true` |
@@ -152,7 +152,7 @@ $ kubectl apply -f https://github.com/emberstack/kubernetes-reflector/releases/l
152152

153153
- - - -
154154

155-
## (Optional) `cert-manager` extension
155+
## `cert-manager` extension
156156

157157
> Supported `cert-manager` version: `0.11.0` or higher.
158158

0 commit comments

Comments
 (0)