feat(mlflow): add security hardening defaults and NetworkPolicy by kriscoleman · Pull Request #179 · replicatedhq/platform-examples

kriscoleman · 2026-05-25T17:48:45Z

Summary

Adds security context defaults and NetworkPolicy template for vendors in regulated industries (SOC 2, HIPAA). Resolves #169.

podSecurityContext: runAsNonRoot: true, runAsUser/runAsGroup: 1000, fsGroup: 1000, seccompProfile: RuntimeDefault
containerSecurityContext: readOnlyRootFilesystem: true, allowPrivilegeEscalation: false, capabilities.drop: [ALL]
deployment.yaml: Added writable /tmp emptyDir volume to prevent readOnlyRootFilesystem from blocking MLflow runtime (fixes feat(mlflow): add security hardening defaults and NetworkPolicy (pe-x1q) #175 regression — init containers are unaffected as containerSecurityContext only applies to the main container)
networkpolicy.yaml: New template (disabled by default) with:
- Default deny all ingress/egress
- Allow same-namespace traffic
- Allow ingress-nginx → mlflow on port 5000
- Allow mlflow → postgres on port 5432
- Allow mlflow → minio on port 9000
- Allow DNS resolution (UDP/TCP 53)

helm lint passes
helm template --set networkPolicy.enabled=true renders NetworkPolicy correctly
Deploy with default values — pods start successfully (not stuck in PodInitializing)
Deploy with networkPolicy.enabled=true — mlflow can reach postgres and minio
Verify init containers (pip install, wait-for-postgresql) work with pod security context

feat(mlflow): add security hardening defaults and NetworkPolicy (pe-x1q)

3d36a67

kriscoleman merged commit 3fb7e59 into feat/mlflow-enterprise-patterns May 25, 2026
4 of 7 checks passed

kriscoleman deleted the polecat/obsidian/pe-x1q@mplhv6hl branch May 25, 2026 18:05