From 306594164ab46d31ee1e7b0d7d773a857b52bdde Mon Sep 17 00:00:00 2001 From: Shoubhik Bose Date: Tue, 23 Mar 2021 22:02:58 -0400 Subject: [PATCH] fix: Run controller as un-privileged (#5460) --- .../workflow-controller/workflow-controller-deployment.yaml | 3 +++ manifests/install.yaml | 3 +++ manifests/namespace-install.yaml | 3 +++ manifests/quick-start-minimal.yaml | 3 +++ manifests/quick-start-mysql.yaml | 3 +++ manifests/quick-start-postgres.yaml | 3 +++ 6 files changed, 18 insertions(+) diff --git a/manifests/base/workflow-controller/workflow-controller-deployment.yaml b/manifests/base/workflow-controller/workflow-controller-deployment.yaml index 0d99d7bcc0c3..7b45ae40ca3c 100644 --- a/manifests/base/workflow-controller/workflow-controller-deployment.yaml +++ b/manifests/base/workflow-controller/workflow-controller-deployment.yaml @@ -16,6 +16,9 @@ spec: - name: workflow-controller image: argoproj/workflow-controller:latest securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false capabilities: drop: - ALL diff --git a/manifests/install.yaml b/manifests/install.yaml index 1665d8b69533..c2ba54e1a622 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -617,9 +617,12 @@ spec: - containerPort: 9090 name: metrics securityContext: + allowPrivilegeEscalation: false capabilities: drop: - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true nodeSelector: kubernetes.io/os: linux securityContext: diff --git a/manifests/namespace-install.yaml b/manifests/namespace-install.yaml index dab06e1e6678..2762c5982c4d 100644 --- a/manifests/namespace-install.yaml +++ b/manifests/namespace-install.yaml @@ -512,9 +512,12 @@ spec: - containerPort: 9090 name: metrics securityContext: + allowPrivilegeEscalation: false capabilities: drop: - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true nodeSelector: kubernetes.io/os: linux securityContext: diff --git a/manifests/quick-start-minimal.yaml b/manifests/quick-start-minimal.yaml index 21a6a65ae031..884c5a49476d 100644 --- a/manifests/quick-start-minimal.yaml +++ b/manifests/quick-start-minimal.yaml @@ -885,9 +885,12 @@ spec: - containerPort: 9090 name: metrics securityContext: + allowPrivilegeEscalation: false capabilities: drop: - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true nodeSelector: kubernetes.io/os: linux securityContext: diff --git a/manifests/quick-start-mysql.yaml b/manifests/quick-start-mysql.yaml index 2256992c4a5a..0e97eb7b7509 100644 --- a/manifests/quick-start-mysql.yaml +++ b/manifests/quick-start-mysql.yaml @@ -974,9 +974,12 @@ spec: - containerPort: 9090 name: metrics securityContext: + allowPrivilegeEscalation: false capabilities: drop: - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true nodeSelector: kubernetes.io/os: linux securityContext: diff --git a/manifests/quick-start-postgres.yaml b/manifests/quick-start-postgres.yaml index b48506863cb8..fdbb4e409f0a 100644 --- a/manifests/quick-start-postgres.yaml +++ b/manifests/quick-start-postgres.yaml @@ -966,9 +966,12 @@ spec: - containerPort: 9090 name: metrics securityContext: + allowPrivilegeEscalation: false capabilities: drop: - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true nodeSelector: kubernetes.io/os: linux securityContext: