fix: Run controller as un-privileged (#5460)

argoproj · Mar 24, 2021 · 3065941 · 3065941
1 parent c8645fc
commit 3065941
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 0 deletions.
diff --git a/manifests/base/workflow-controller/workflow-controller-deployment.yaml b/manifests/base/workflow-controller/workflow-controller-deployment.yaml
@@ -16,6 +16,9 @@ spec:
         - name: workflow-controller
           image: argoproj/workflow-controller:latest
           securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
             capabilities:
               drop:
                 - ALL

diff --git a/manifests/install.yaml b/manifests/install.yaml
@@ -617,9 +617,12 @@ spec:
         - containerPort: 9090
           name: metrics
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
       nodeSelector:
         kubernetes.io/os: linux
       securityContext:

diff --git a/manifests/namespace-install.yaml b/manifests/namespace-install.yaml
@@ -512,9 +512,12 @@ spec:
         - containerPort: 9090
           name: metrics
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
       nodeSelector:
         kubernetes.io/os: linux
       securityContext:

diff --git a/manifests/quick-start-minimal.yaml b/manifests/quick-start-minimal.yaml
@@ -885,9 +885,12 @@ spec:
         - containerPort: 9090
           name: metrics
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
       nodeSelector:
         kubernetes.io/os: linux
       securityContext:

diff --git a/manifests/quick-start-mysql.yaml b/manifests/quick-start-mysql.yaml
@@ -974,9 +974,12 @@ spec:
         - containerPort: 9090
           name: metrics
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
       nodeSelector:
         kubernetes.io/os: linux
       securityContext:

diff --git a/manifests/quick-start-postgres.yaml b/manifests/quick-start-postgres.yaml
@@ -966,9 +966,12 @@ spec:
         - containerPort: 9090
           name: metrics
         securityContext:
+          allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
       nodeSelector:
         kubernetes.io/os: linux
       securityContext: