Context
charts/bindery/templates/deployment.yaml already sets a hardened securityContext (runAsNonRoot, readOnlyRootFilesystem, dropped capabilities, seccomp RuntimeDefault — all good). But there's no enforcement at the namespace boundary. Surfaced during a code-quality audit (2026-05-09).
Problem
A future operator (or a malicious chart override) could relax the pod's securityContext and the cluster would silently admit it. PodSecurityStandards (PSS) labels on the namespace enforce a baseline regardless of what the pod template asks for.
Suggested approach
This isn't a chart change — the label belongs on the namespace the user installs into, which lives in their own infra. Document the recommended setting in the chart README:
# Suggested namespace labels (apply to your bindery namespace):
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latest
Mention restricted vs baseline tradeoffs (bindery already complies with restricted based on the current securityContext).
Why deferred
Repo-side fix is documentation only. A chart-side namespace creation is out of scope (charts shouldn't create their own namespace). Doc-only PR welcome.
Context
charts/bindery/templates/deployment.yamlalready sets a hardenedsecurityContext(runAsNonRoot, readOnlyRootFilesystem, dropped capabilities, seccomp RuntimeDefault — all good). But there's no enforcement at the namespace boundary. Surfaced during a code-quality audit (2026-05-09).Problem
A future operator (or a malicious chart override) could relax the pod's
securityContextand the cluster would silently admit it. PodSecurityStandards (PSS) labels on the namespace enforce a baseline regardless of what the pod template asks for.Suggested approach
This isn't a chart change — the label belongs on the namespace the user installs into, which lives in their own infra. Document the recommended setting in the chart README:
Mention
restrictedvsbaselinetradeoffs (bindery already complies withrestrictedbased on the current securityContext).Why deferred
Repo-side fix is documentation only. A chart-side namespace creation is out of scope (charts shouldn't create their own namespace). Doc-only PR welcome.