fix: security fix

2025-11-21 11:23:52 +09:00
parent 71bca4bacd
commit ca134b3585
4 changed files with 198 additions and 0 deletions
--- a/k8s/registry/registry.yaml
+++ b/k8s/registry/registry.yaml
@@ -20,6 +20,12 @@ spec:
      labels:
        app: registry
    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        fsGroup: 65534
+        seccompProfile:
+          type: RuntimeDefault
      containers:
      - name: registry
        image: registry:2
@@ -31,9 +37,19 @@ spec:
          value: "true"
        - name: REGISTRY_HTTP_ADDR
          value: "0.0.0.0:5000"
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 65534
+          capabilities:
+            drop:
+              - ALL
        volumeMounts:
        - name: registry-data
          mountPath: /var/lib/registry
+        - name: tmp
+          mountPath: /tmp
        livenessProbe:
          httpGet:
            path: /v2/
@@ -49,6 +65,8 @@ spec:
      volumes:
      - name: registry-data
        emptyDir: {}
+      - name: tmp
+        emptyDir: {}
 ---
 apiVersion: v1
 kind: Service