mirror of
https://github.com/TecharoHQ/anubis.git
synced 2026-05-20 05:10:30 +00:00
Xe Iaso
652cef7ffe
Add a pod-level security context to the nginx container in the public docs deployment (non-root uid 101, dropped capabilities, read-only root filesystem, RuntimeDefault seccomp) and rebind it to unprivileged port 8080 so it does not need CAP_NET_BIND_SERVICE. The nginx PID and proxy temp paths move under a tmpfs-backed emptyDir so the read-only root filesystem does not break startup. Replace the mutable :main tags on both containers with immutable sha256 digests and switch imagePullPolicy to IfNotPresent so each rollout references an auditable artifact instead of whatever happens to be tagged :main when the pod starts. The docs-deploy workflow now overlays the freshly built docs digest via `kustomize edit set image` so the manifest stays accurate without a manual edit on each push to main. The docs Dockerfile pins its node and nginx-micro base images to specific versions for the same reason. Ref: AWOO-011, AWOO-012 Assisted-by: Claude Opus 4.7 via Claude Code Signed-off-by: Xe Iaso <me@xeiaso.net>
15 lines
221 B
YAML
15 lines
221 B
YAML
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: anubis-docs
|
|
spec:
|
|
selector:
|
|
app: anubis-docs
|
|
ports:
|
|
- port: 80
|
|
targetPort: 8080
|
|
name: http
|
|
- port: 8081
|
|
targetPort: 8081
|
|
name: anubis
|