Questions regarding security context with cis hardened cluster

[nicolbla]

Hello i'm currently testing Zot ( interesting project for small air gap environment 👍 ) on a RKE2 cluster with cis profile enabled.

I'm using the zot helm chart to make my tests. The only wat to launch the pod on cis hardened cluster is to add the following parameters to the chart for the deployment :

podSecurityContext:
  seccompProfile:
    type: RuntimeDefault

securityContext:
  allowPrivilegeEscalation: false
  runAsGroup: XXXX
  runAsUser: XXXX
  capabilities:
    drop:
      - ALL
  privileged: false
  runAsNonRoot: true

The pods seems to launch correctly but i was wandering if it can have an impact on the application within the container. By default with which user is launched the zot application ? I'm not used to distroless images. Also how can we debug a running zot pod ? because i think it's not possible to launch kubec exec commands with these kind of images.

Thanks a lot

[rchincha]

project-zot/helm-charts#20
^ @nicolbla take a look at this helm chart PR.
This should allow you to kubexec into this container/pod