Skip to content

feat(openshift): enforce container security contexts in deployment templates#2749

Merged
DerekRoberts merged 3 commits into
mainfrom
feat/openshift-security-context
Jun 11, 2026
Merged

feat(openshift): enforce container security contexts in deployment templates#2749
DerekRoberts merged 3 commits into
mainfrom
feat/openshift-security-context

Conversation

@DerekRoberts

@DerekRoberts DerekRoberts commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown
Member

Enforces strict container-level security contexts (readOnlyRootFilesystem, runAsNonRoot, allowPrivilegeEscalation=false, capabilities drop) in the deployment templates for backend and frontend. Also adds memory-backed emptyDir volume mounts for Caddy and Node/NestJS to write temporary configuration and log data.

Thanks for the PR!

Deployments, as required, will be available below:

Please create PRs in draft mode. Mark as ready to enable:

After merge, new images are deployed in:

Copilot AI review requested due to automatic review settings June 8, 2026 18:29
@DerekRoberts DerekRoberts self-assigned this Jun 8, 2026
Copilot AI reviewed Jun 8, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens the OpenShift deployment templates by enforcing stricter container-level securityContext settings (non-root, read-only root filesystem, no privilege escalation, drop all capabilities) and by adding emptyDir-backed writable mount points for runtime data paths (e.g., /tmp, Caddy data/config paths).

Changes:

  • Add strict securityContext settings to frontend and backend containers (including initContainers).
  • Add emptyDir volumes + mounts for Caddy (/data, /config, /tmp) and backend containers (/tmp).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
frontend/openshift.deploy.yml Adds container securityContext hardening and emptyDir volume mounts for Caddy runtime write paths.
backend/openshift.deploy.yml Adds container/initContainer securityContext hardening and an emptyDir volume mount for /tmp.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread frontend/openshift.deploy.yml Outdated
Comment thread frontend/openshift.deploy.yml Outdated
Comment thread backend/openshift.deploy.yml Outdated
@DerekRoberts DerekRoberts moved this from New to Active in DevOps (NR) Jun 8, 2026
@DerekRoberts DerekRoberts force-pushed the feat/openshift-security-context branch from 67671a6 to 617d2f8 Compare June 11, 2026 03:26
This was linked to issues Jun 11, 2026
chore: oc improvements #2751
Closed
docs: Add OWASP ASVS mapping documentation #2753
Closed
@DerekRoberts DerekRoberts merged commit a230bec into main Jun 11, 2026
28 checks passed
@DerekRoberts DerekRoberts deleted the feat/openshift-security-context branch June 11, 2026 03:53
@github-project-automation github-project-automation Bot moved this from Active to Done in DevOps (NR) Jun 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@DerekRoberts DerekRoberts

Labels

None yet

Projects

DevOps (NR)
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

docs: Add OWASP ASVS mapping documentation chore: oc improvements

2 participants

@DerekRoberts