mirror of
https://github.com/TecharoHQ/anubis.git
synced 2026-05-20 05:10:30 +00:00
Xe Iaso
652cef7ffe
Add a pod-level security context to the nginx container in the public docs deployment (non-root uid 101, dropped capabilities, read-only root filesystem, RuntimeDefault seccomp) and rebind it to unprivileged port 8080 so it does not need CAP_NET_BIND_SERVICE. The nginx PID and proxy temp paths move under a tmpfs-backed emptyDir so the read-only root filesystem does not break startup. Replace the mutable :main tags on both containers with immutable sha256 digests and switch imagePullPolicy to IfNotPresent so each rollout references an auditable artifact instead of whatever happens to be tagged :main when the pod starts. The docs-deploy workflow now overlays the freshly built docs digest via `kustomize edit set image` so the manifest stays accurate without a manual edit on each push to main. The docs Dockerfile pins its node and nginx-micro base images to specific versions for the same reason. Ref: AWOO-011, AWOO-012 Assisted-by: Claude Opus 4.7 via Claude Code Signed-off-by: Xe Iaso <me@xeiaso.net>