mirror of
https://github.com/TecharoHQ/anubis.git
synced 2026-05-20 05:10:30 +00:00
Xe Iaso
652cef7ffe
Add a pod-level security context to the nginx container in the public docs deployment (non-root uid 101, dropped capabilities, read-only root filesystem, RuntimeDefault seccomp) and rebind it to unprivileged port 8080 so it does not need CAP_NET_BIND_SERVICE. The nginx PID and proxy temp paths move under a tmpfs-backed emptyDir so the read-only root filesystem does not break startup. Replace the mutable :main tags on both containers with immutable sha256 digests and switch imagePullPolicy to IfNotPresent so each rollout references an auditable artifact instead of whatever happens to be tagged :main when the pod starts. The docs-deploy workflow now overlays the freshly built docs digest via `kustomize edit set image` so the manifest stays accurate without a manual edit on each push to main. The docs Dockerfile pins its node and nginx-micro base images to specific versions for the same reason. Ref: AWOO-011, AWOO-012 Assisted-by: Claude Opus 4.7 via Claude Code Signed-off-by: Xe Iaso <me@xeiaso.net>
123 lines
3.4 KiB
YAML
123 lines
3.4 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: anubis-docs
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: anubis-docs
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: anubis-docs
|
|
spec:
|
|
volumes:
|
|
- name: anubis
|
|
configMap:
|
|
name: anubis-cfg
|
|
- name: nginx
|
|
configMap:
|
|
name: nginx-cfg
|
|
- name: temporary-data
|
|
emptyDir: {}
|
|
- name: nginx-tmp
|
|
emptyDir: {}
|
|
containers:
|
|
- name: anubis-docs
|
|
image: ghcr.io/techarohq/anubis/docs@sha256:f13a7c862bbcba8e19feba9f157120c6f03e23b03367ace4ca55da69dc894e12
|
|
imagePullPolicy: IfNotPresent
|
|
resources:
|
|
limits:
|
|
memory: "128Mi"
|
|
cpu: "500m"
|
|
requests:
|
|
cpu: 250m
|
|
memory: 128Mi
|
|
volumeMounts:
|
|
- name: nginx
|
|
mountPath: /conf
|
|
- name: nginx-tmp
|
|
mountPath: /tmp
|
|
ports:
|
|
- containerPort: 8080
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /
|
|
port: 8080
|
|
initialDelaySeconds: 1
|
|
periodSeconds: 10
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /
|
|
port: 8080
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 20
|
|
securityContext:
|
|
runAsUser: 101
|
|
runAsGroup: 101
|
|
runAsNonRoot: true
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
- name: anubis
|
|
image: ghcr.io/techarohq/anubis@sha256:533e57956ae3afd1612dab16f02dd4db937ca14fad5399208f403686e14feed5
|
|
imagePullPolicy: IfNotPresent
|
|
env:
|
|
- name: "BIND"
|
|
value: ":8081"
|
|
- name: "DIFFICULTY"
|
|
value: "4"
|
|
- name: "METRICS_BIND"
|
|
value: ":9090"
|
|
- name: "OG_PASSTHROUGH"
|
|
value: "true"
|
|
- name: "POLICY_FNAME"
|
|
value: "/xe/cfg/anubis/botPolicies.yaml"
|
|
- name: "SERVE_ROBOTS_TXT"
|
|
value: "false"
|
|
- name: "TARGET"
|
|
value: "http://localhost:8080"
|
|
# - name: "SLOG_LEVEL"
|
|
# value: "debug"
|
|
volumeMounts:
|
|
- name: anubis
|
|
mountPath: /xe/cfg/anubis
|
|
- name: temporary-data
|
|
mountPath: /xe/data/anubis
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 128Mi
|
|
requests:
|
|
cpu: 250m
|
|
memory: 128Mi
|
|
securityContext:
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
runAsNonRoot: true
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
envFrom:
|
|
- secretRef:
|
|
name: anubis-docs-thoth
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 9090
|
|
initialDelaySeconds: 1
|
|
periodSeconds: 10
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 9090
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 20
|