Skip to content

Commit

Permalink
drop capabilities, enable seccomp and enforce runAsNonRoot
Browse files Browse the repository at this point in the history
Further restricts the SecurityContext that the controller runs under, by enabling the default seccomp profile and dropping all linux capabilities.
This was set at container-level to ensure backwards compatibility with use cases in which sidecars are injected into the source-controller pod
without setting less restrictive settings.
Add a uid and gid for the container to enforce runAsNonRoot and ensure
the use of non root users.

BREAKING CHANGES:
1) The use of new seccomp API requires Kubernetes 1.19.
2) the controller container is now executed under 65534:65534 (userid:groupid).
   This change may break deployments that hard-coded the user name 'controller' in their PodSecurityPolicy.

Signed-off-by: Sanskar Jaiswal<sanskar.jaiswal@weave.works>
Co-authored-by: Paulo Gomes <paulo.gomes@weave.works>
  • Loading branch information
Sanskar Jaiswal and Paulo Gomes committed Jan 19, 2022
1 parent c626836 commit cd07c14
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 3 deletions.
4 changes: 1 addition & 3 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,7 @@ COPY --from=builder /workspace/kustomize-controller /usr/local/bin/
# https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-354316460
RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf

RUN addgroup -S controller && adduser -S controller -G controller

USER controller
USER 65534:65534

ENV GNUPGHOME=/tmp

Expand Down
6 changes: 6 additions & 0 deletions config/manager/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,12 @@ spec:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: [ "ALL" ]
seccompProfile:
type: RuntimeDefault

ports:
- containerPort: 8080
name: http-prom
Expand Down

0 comments on commit cd07c14

Please sign in to comment.