fix(connections): Add security context and disable UID/GID modification
- Add container securityContext to satisfy PodSecurity policy - Set SIGNAL_CLI_UID/GID to 0 to disable user modification attempts - Fixes CrashLoopBackOff due to groupmod permission denied
This commit is contained in:
@@ -24,6 +24,13 @@ spec:
|
||||
- name: signal-cli-rest-api
|
||||
image: bbernhard/signal-cli-rest-api:0.85 # Pin version, test upgrades
|
||||
imagePullPolicy: IfNotPresent
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
name: http
|
||||
@@ -31,6 +38,10 @@ spec:
|
||||
env:
|
||||
- name: MODE
|
||||
value: "json-rpc" # json-rpc mode for API compatibility
|
||||
- name: SIGNAL_CLI_UID
|
||||
value: "0" # Disable UID change
|
||||
- name: SIGNAL_CLI_GID
|
||||
value: "0" # Disable GID change
|
||||
volumeMounts:
|
||||
- name: signal-data
|
||||
mountPath: /home/.local/share/signal-cli
|
||||
|
||||
Reference in New Issue
Block a user