Harden the server pod & update the default server image (#39)

* chore(slog): use default slog handler Signed-off-by: Jian Zeng <[email protected]> * chore: update default server image Signed-off-by: Jian Zeng <[email protected]> * feat: harden the server pod Signed-off-by: Jian Zeng <[email protected]> --------- Signed-off-by: Jian Zeng <[email protected]>
knight42 · Apr 6, 2024 · cd2cd79 · cd2cd79
1 parent cad54d6
commit cd2cd79
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/cmd/client/main.go b/cmd/client/main.go
@@ -238,10 +238,7 @@ service, ip and hostname rather than only pods.`,
 				})
 			}
 
-			h := slog.NewTextHandler(cmd.ErrOrStderr(), &slog.HandlerOptions{
-				Level: slogutil.MapVerbosityToLogLevel(o.verbosity),
-			})
-			slog.SetDefault(slog.New(h))
+			slog.SetLogLoggerLevel(slogutil.MapVerbosityToLogLevel(o.verbosity))
 			ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
 			defer cancel()
 			return o.Run(ctx, args)
@@ -258,9 +255,8 @@ service, ip and hostname rather than only pods.`,
 	flags.BoolVarP(&printVersion, "version", "V", false, "Print version info and exit.")
 	flags.StringVar(&o.address, "address", "127.0.0.1", "Address to listen on. Only accepts IP addresses as a value.")
 	flags.StringVarP(&o.targetsFile, "file", "f", "", "Forward to the targets specified in the given file, with one target per line.")
-	flags.StringVar(&o.serverImage, "server.image", "ghcr.io/knight42/krelay-server:v0.0.2", "The krelay-server image to use.")
+	flags.StringVar(&o.serverImage, "server.image", "ghcr.io/knight42/krelay-server:v0.0.3", "The krelay-server image to use.")
 	flags.StringVar(&o.serverNamespace, "server.namespace", metav1.NamespaceDefault, "The namespace in which krelay-server is located.")
 	flags.IntVarP(&o.verbosity, "v", "v", 3, "Number for the log level verbosity. The bigger the more verbose.")
-
 	_ = c.Execute()
 }
diff --git a/cmd/client/utils.go b/cmd/client/utils.go
@@ -46,11 +46,20 @@ func createServerPod(ctx context.Context, cs kubernetes.Interface, svrImg, names
 			},
 		},
 		Spec: corev1.PodSpec{
+			AutomountServiceAccountToken: toPtr(false),
+			EnableServiceLinks:           toPtr(false),
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsNonRoot: toPtr(true),
+			},
 			Containers: []corev1.Container{
 				{
 					Name:            constants.ServerName,
 					Image:           svrImg,
 					ImagePullPolicy: corev1.PullAlways,
+					SecurityContext: &corev1.SecurityContext{
+						ReadOnlyRootFilesystem:   toPtr(true),
+						AllowPrivilegeEscalation: toPtr(false),
+					},
 				},
 			},
 			TopologySpreadConstraints: []corev1.TopologySpreadConstraint{