Improve security context restrictions (#4242)

Azure · Sep 5, 2024 · bc949fe · bc949fe
1 parent b373ec4
commit bc949fe
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 3 deletions.
diff --git a/v2/charts/azure-service-operator/values.yaml b/v2/charts/azure-service-operator/values.yaml
@@ -189,12 +189,18 @@ revisionHistoryLimit: 10
 
 # Specify security settings for a Container
 # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
-# It is not recommended to reduce the restrictions in this list, but additional restrictions outside of the default set 
+# It is not recommended to reduce the restrictions in this list, but additional restrictions outside the default set
 # can be applied. If you believe additional securityContext configuration should be specified by default
 # please raise an issue.
 securityContext:
+  runAsUser: 65532 # nonroot user from gcr.io/distroless/static:nonroot image
+  runAsGroup: 65532 # nonroot group from gcr.io/distroless/static:nonroot image
+  runAsNonRoot: true
   allowPrivilegeEscalation: false
   readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
 
 # Tolerations are applied to pods. Tolerations allow the scheduler to schedule pods with matching taints. Tolerations allow scheduling but don't guarantee scheduling
 # For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration.

diff --git a/v2/config/manager/manager.yaml b/v2/config/manager/manager.yaml
@@ -25,10 +25,10 @@ spec:
     matchLabels:
       control-plane: controller-manager
   replicas: 1
+  revisionHistoryLimit: 10
   template:
     metadata:
       labels:
-        aadpodidbinding: aso-manager-binding
         control-plane: controller-manager
         app.kubernetes.io/name: azure-service-operator
         app.kubernetes.io/version: ${VERSION}
@@ -72,6 +72,12 @@ spec:
             cpu: 200m
             memory: 256Mi
         securityContext:
-          readOnlyRootFilesystem: true
+          runAsUser: 65532 # nonroot user from gcr.io/distroless/static:nonroot image
+          runAsGroup: 65532 # nonroot group from gcr.io/distroless/static:nonroot image
+          runAsNonRoot: true
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - ALL
       terminationGracePeriodSeconds: 10