[memcached] Allign with security best practices

* Add runAsNonRoot directive * Drop all capabilities * Mount bianries with 550 and 65534 fsgroup Change-Id: I0636088b40ce8ebaef84dad017ddbcaaecfc8221
2025-01-01 11:33:22 +00:00 · 2025-01-01 11:33:22 +00:00 · 725dc5518d
commit 725dc5518d
parent 11915a30a7
2 changed files with 9 additions and 1 deletions
--- a/memcached/templates/statefulset.yaml
+++ b/memcached/templates/statefulset.yaml
@ -132,6 +132,6 @@ spec:
        - name: memcached-bin
          configMap:
            name: {{ $configMapBinName | quote }}
-            defaultMode: 0555
+            defaultMode: 360
 {{ dict "envAll" $envAll "component" "memcached" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" | indent 8 }}
 {{- end }}
--- a/memcached/values.yaml
+++ b/memcached/values.yaml
@ -150,13 +150,21 @@ pod:
    server:
      pod:
        runAsUser: 65534
+        runAsNonRoot: true
+        fsGroup: 65534
      container:
        memcached:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - ALL
        memcached_exporter:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - ALL
  probes:
    memcached:
      memcached: