From be483a64a792addbc4e62418f5004fe55ca8a266 Mon Sep 17 00:00:00 2001 From: Mark Garratt Date: Sun, 15 Feb 2026 08:49:50 +0000 Subject: [PATCH] proton-bridge: default security context to uid/gid 1000 --- charts/proton-bridge/Chart.yaml | 2 +- charts/proton-bridge/README.md | 11 ++++++++--- charts/proton-bridge/values.yaml | 15 ++++++++++----- 3 files changed, 19 insertions(+), 9 deletions(-) diff --git a/charts/proton-bridge/Chart.yaml b/charts/proton-bridge/Chart.yaml index 4933c0c..a0fa9bd 100644 --- a/charts/proton-bridge/Chart.yaml +++ b/charts/proton-bridge/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: proton-bridge description: Proton Mail Bridge deployment for in-cluster SMTP/IMAP access type: application -version: 0.1.5 +version: 0.1.6 appVersion: "3.22.0" diff --git a/charts/proton-bridge/README.md b/charts/proton-bridge/README.md index ccb8ec8..b2c7379 100644 --- a/charts/proton-bridge/README.md +++ b/charts/proton-bridge/README.md @@ -94,7 +94,6 @@ Common overrides: - `bridge.host`, `bridge.smtpPort`, `bridge.imapPort` - `container.smtpPort`, `container.imapPort` - `container.enablePrivilegedPortBinding` -- `podSecurityContext.fsGroup` - `containerSecurityContext` - `volumePermissions.enabled` - `existingSecret` @@ -110,11 +109,17 @@ container: ## Troubleshooting Startup Permission Errors -If the container cannot write under `/home/bridge` at startup, set a pod `fsGroup` so Kubernetes adjusts volume group ownership: +By default, the chart runs the container as uid/gid `1000:1000` and sets pod `fsGroup: 1000`, matching the current image defaults. + +If you need different ownership semantics for your storage class, override the security contexts: ```yaml podSecurityContext: - fsGroup: 1000 + fsGroup: 1001 + +containerSecurityContext: + runAsUser: 1001 + runAsGroup: 1001 ``` If your storage backend still needs explicit ownership fixes, enable the permissions init container: diff --git a/charts/proton-bridge/values.yaml b/charts/proton-bridge/values.yaml index 9a84164..fe9341f 100644 --- a/charts/proton-bridge/values.yaml +++ b/charts/proton-bridge/values.yaml @@ -37,11 +37,16 @@ container: # Set true to add NET_BIND_SERVICE capability so non-root process can bind <1024 (e.g. 25/143). enablePrivilegedPortBinding: false -# Pod-level security context (for example: fsGroup to allow writing mounted volumes). -podSecurityContext: {} - -# Container-level security context for the main proton-bridge container. -containerSecurityContext: {} +# Pod-level security context defaults for the bridge image user (uid:gid 1000:1000). +podSecurityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + +# Container-level security context defaults for the bridge image user (uid:gid 1000:1000). +containerSecurityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 # Optional init container to force volume ownership/permissions before bridge starts. volumePermissions: