Skip to content

WIP [v7.x] Make BRO compliant with security best practices #768

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: release/v7.x
Choose a base branch
from
Open

WIP [v7.x] Make BRO compliant with security best practices #768

wants to merge 1 commit into from

Conversation

jbiers
Copy link
Member

@jbiers jbiers commented May 13, 2025
edited
Loading

@jbiers jbiers requested a review from a team as a code owner May 13, 2025 00:36
@jbiers jbiers force-pushed the security-best-practices branch from 006b34a to 3d9f24a Compare May 13, 2025 00:37
@jbiers jbiers changed the title [v7.x] Make deployment.yaml compliant with security best practices WIP [v7.x] Make deployment.yaml compliant with security best practices May 13, 2025
@jbiers jbiers force-pushed the security-best-practices branch from 6584af3 to 6455b95 Compare May 15, 2025 18:37
@jbiers jbiers force-pushed the security-best-practices branch from 6455b95 to 5bae745 Compare May 15, 2025 18:38
@jbiers jbiers changed the title WIP [v7.x] Make deployment.yaml compliant with security best practices [v7.x] Make deployment.yaml compliant with security best practices May 15, 2025
@jbiers jbiers changed the title [v7.x] Make deployment.yaml compliant with security best practices [v7.x] Make BRO compliant with security best practices May 15, 2025
@jbiers jbiers changed the title [v7.x] Make BRO compliant with security best practices WIP [v7.x] Make BRO compliant with security best practices May 15, 2025
@jbiers
Copy link
Member Author

jbiers commented May 15, 2025

I've opened an initial PR to make sure the BRO chart is compliant with the best practices as best as possible.

Notably, BRO creates files locally while building the backups, so setting readOnlyRootFilesystem to true breaks the application and is therefore not possible.
Also, in a specific scenario where the user chooses to store backups in a PV of type HostPath, the process actually has to be running as root as only the root user can write to PVs of this type.

For those reasons I chose to make the runAsUser setting optional, having a warning about security in the values file.

It would be good if we could get a code review from the security team on this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jbiers