Fix local docker-compose security settings for stock images

Remove cap_drop: ALL and no-new-privileges from postgres, redis, minio, and minio-init services. These stock images require certain capabilities (SETUID, SETGID, CHOWN) to switch users during initialization. Added KICS exceptions with documentation explaining these are local development only settings - production Kubernetes uses securityContext.
2026-01-15 15:22:59 +00:00
parent 944debc831
commit 7f7ac44c46
2 changed files with 20 additions and 16 deletions
--- a/docker-compose.local.yml
+++ b/docker-compose.local.yml
@@ -71,10 +71,6 @@ services:
    networks:
      - orchard-network
    restart: unless-stopped
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - ALL
    deploy:
      resources:
        limits:
@@ -100,10 +96,6 @@ services:
    networks:
      - orchard-network
    restart: unless-stopped
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - ALL
    deploy:
      resources:
        limits:
@@ -124,10 +116,6 @@ services:
      "
    networks:
      - orchard-network
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - ALL
    deploy:
      resources:
        limits:
@@ -149,10 +137,6 @@ services:
    networks:
      - orchard-network
    restart: unless-stopped
-    security_opt:
-      - no-new-privileges:true
-    cap_drop:
-      - ALL
    deploy:
      resources:
        limits: