ArgoCD. If there's something that doesn't come with a Helm chart, i just wrap it into bjw-s' common chart (https://github.com/bjw-s/helm-charts/tree/main/charts) and call it a day.
WiseCookie69
joined 1 year ago
Normal background noise. You expose stuff to the public and in return you make friends with a bunch of bots.
Granted I use Kubernetes, but here you go:
- I run stuff with user namespaces, so even a root process within the container is unprivileged on the host
- I isolate namespaces via NetworkPolicies
- Even my Nextcloud instance has no business to check upstream for updates (i have renovate for that)
- I use securityContexts to make my containers as unprivileged as possible
- drop all capabilities
- enforce a read-only container filesystem
- enforce running as a specific UID/GID (many maintainers are lazy and just run their stuff as root)
I'd set up something like that, to hand out the password to a (previously prepared) Keepass database, in case something happens to me. To have everything readily available for my loved ones, to aid with cleaning up after me.