dunglas / mercure / 25042875677 / 1
84%
master: 93%

LAST BUILD BRANCH: cluster/secure
DEFAULT BRANCH: master
Ran
Files 23
Run time 1s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 83.886%. Remained the same
25042875677.1

push

github

web-flow 
docs(chart): document NET_BIND_SERVICE in the rootless securityContext example (#1225)

* docs(chart): document NET_BIND_SERVICE in the rootless securityContext example

The image's binary now carries cap_net_bind_service as a file capability
(#1222), so rootless deployments on port 80/443 work out of the box. But
on exec the binary's permitted set is intersected with the bounding set,
so dropping ALL capabilities silently strips the file cap unless
NET_BIND_SERVICE is re-added. Reflect that in the values.yaml example so
the snippet stays correct when copy-pasted.

* docs(chart): clarify that NNP makes file caps moot

Per Copilot review on #1225: with `allowPrivilegeEscalation: false` the
kernel sets `no_new_privs` and ignores file capabilities on `exec`, so
the binary's setcap'd `cap_net_bind_service` is not what makes the
rootless bind work under that hardening. The explicit
`add: [NET_BIND_SERVICE]` is. Reword the comment so the README cell is
self-contained and accurate.

* docs(install): add a rootless example for the Helm chart

The Compose section already documents rootless deployments. Add the
equivalent for Kubernetes, using the chart's `podSecurityContext` and
`securityContext` values, and explain why the explicit
`add: [NET_BIND_SERVICE]` is what makes the bind work under
`allowPrivilegeEscalation: false`.

* Update docs/hub/install.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Kévin Dunglas <kevin@dunglas.fr>

---------

Signed-off-by: Kévin Dunglas <kevin@dunglas.fr>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

1744 of 2079 relevant lines covered (83.89%)

49.76 hits per line

Source Files on job 0 - 25042875677.1