Fix local docker-compose security settings for stock images

Remove cap_drop: ALL and no-new-privileges from postgres, redis, minio, and minio-init services. These stock images require certain capabilities (SETUID, SETGID, CHOWN) to switch users during initialization. Added KICS exceptions with documentation explaining these are local development only settings - production Kubernetes uses securityContext.
2026-01-15 15:22:59 +00:00
parent 944debc831
commit 7f7ac44c46
2 changed files with 20 additions and 16 deletions
--- a/docker-compose.local.yml
+++ b/docker-compose.local.yml
@@ -71,10 +71,6 @@ services:
    networks:
      - orchard-network
    restart: unless-stopped
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - ALL
    deploy:
      resources:
        limits:
@@ -100,10 +96,6 @@ services:
    networks:
      - orchard-network
    restart: unless-stopped
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - ALL
    deploy:
      resources:
        limits:
@@ -124,10 +116,6 @@ services:
      "
    networks:
      - orchard-network
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - ALL
    deploy:
      resources:
        limits:
@@ -149,10 +137,6 @@ services:
    networks:
      - orchard-network
    restart: unless-stopped
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - ALL
    deploy:
      resources:
        limits:
--- a/kics.config
+++ b/kics.config
@@ -23,3 +23,23 @@ exclude-queries:
  # Reason: We intentionally don't pin curl version to get security updates.
  # This is documented with hadolint ignore comment in Dockerfile.
  - 965a08d7-ef86-4f14-8792-4a3b2098937e
+
+  # Container Capabilities Unrestricted (MEDIUM)
+  # Reason: LOCAL DEVELOPMENT ONLY. Stock postgres, redis, minio images require
+  # certain capabilities (SETUID, SETGID, CHOWN) to switch users at startup.
+  # cap_drop: ALL breaks these containers. Production Kubernetes deployments
+  # use securityContext with appropriate settings.
+  - ce76b7d0-9e77-464d-b86f-c5c48e03e22d
+
+  # No New Privileges Not Set (HIGH)
+  # Reason: LOCAL DEVELOPMENT ONLY. Stock postgres, redis, minio images need
+  # to escalate privileges during initialization (e.g., postgres switches from
+  # root to postgres user). no-new-privileges:true prevents this and causes
+  # containers to crash. Production Kubernetes deployments handle this via
+  # securityContext.
+  - 27fcc7d6-c49b-46e0-98f1-6c082a6a2750
+
+  # Security Opt Not Set (MEDIUM)
+  # Reason: LOCAL DEVELOPMENT ONLY. Related to above - security_opt is not set
+  # on database services because no-new-privileges breaks them.
+  - 610e266e-6c12-4bca-9925-1ed0cd29742b