dunglas / mercure / 25075943547
84%
master: 93%

LAST BUILD BRANCH: chore/bump-go-deps
DEFAULT BRANCH: master
Ran
Jobs 1
Files 23
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 83.829%. Remained the same
25075943547

push

github

web-flow 
feat(chart): tighten secure-by-default settings (#1231)

* feat(chart): default ServiceAccount automount to false

Mercure does not call the Kubernetes API, so the projected SA token
volume is unused attack surface for every chart user. Default
`serviceAccount.automount` to `false` so the rendered ServiceAccount
gets `automountServiceAccountToken: false` and the pods no longer get
a `kube-api-access-*` volume.

Users who genuinely need the token (a custom Caddy module that reads
it, a sidecar, an init container) opt back in by setting
`serviceAccount.automount: true`.

* feat(chart): set enableServiceLinks: false on the hub Pod

By default Kubernetes injects an env var for every Service in the
namespace into every pod (`*_SERVICE_HOST`, `*_SERVICE_PORT`,
`*_PORT_<n>_TCP_*`, etc.). On a multi-tenant cluster running many hubs
in the same namespace, that gives each pod a free in-pod inventory of
its neighbours' Service names and ports.

Mercure does not read these env vars, so opt out at the pod level.

* feat(chart): default podSecurityContext seccompProfile to RuntimeDefault

`RuntimeDefault` engages the container runtime's seccomp profile, which
blocks a small set of rare/unsafe syscalls. Mercure does not use any of
them, and this is a prerequisite for the restricted PodSecurity Standard.

Set in `podSecurityContext` so the chart's default install lands a
restricted-PSS-compliant pod (combined with the SA token default).

* chore(chart): harden the helm test pod

The wget pod runs a single HTTP call against the hub Service: no
Kubernetes API access, no service-link env, no privileged execution
needed. Pin the busybox tag, drop the SA token mount, set a non-root
RuntimeDefault podSecurityContext, drop ALL container caps, and make
the rootfs read-only. Stays compatible with the restricted PodSecurity
Standard so `helm test` works on locked-down clusters.

* chore(chart): point helm test at / instead of the deprecated /healthz

The Caddyfile's `respond /... (continued)

1747 of 2084 relevant lines covered (83.83%)

51.27 hits per line

Jobs
ID Job ID Ran Files Coverage
1 0 - 25075943547.1 23
83.83
 GitHub Action Run
Source Files on build 25075943547