feat: use safe securityContext as default (#2938)

kedacore · Apr 28, 2022 · d08b875 · d08b875
1 parent 71a2ff9
commit d08b875
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -46,6 +46,7 @@ To learn more about our roadmap, we recommend reading [this document](ROADMAP.md
 ### Improvements
 
 - **General:** Properly handle `restoreToOriginalReplicaCount` if `ScaleTarget` is missing ([#2872](https://github.com/kedacore/keda/issues/2872))
+- **General:** Support for running in non-root ([#2933](https://github.com/kedacore/keda/issues/2933))
 - **General:** Synchronize HPA annotations from ScaledObject ([#2659](https://github.com/kedacore/keda/pull/2659))
 - **General:** Updated HTTPClient to be proxy-aware, if available, from environment variables. ([#2577](https://github.com/kedacore/keda/issues/2577))
 - **ActiveMQ Scaler:** Add CorsHeader information to ActiveMQ Scaler ([#2884](https://github.com/kedacore/keda/issues/2884))

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -22,6 +22,11 @@ spec:
         name: keda-operator
       name: keda-operator
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        runAsNonRoot: true
       serviceAccountName: keda-operator
       containers:
         - name: keda-operator
@@ -59,6 +64,12 @@ spec:
               value: ""
             - name: KEDA_HTTP_DEFAULT_TIMEOUT
               value: ""
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
       terminationGracePeriodSeconds: 10
       nodeSelector:
         kubernetes.io/os: linux
diff --git a/config/metrics-server/deployment.yaml b/config/metrics-server/deployment.yaml
@@ -19,6 +19,11 @@ spec:
         app: keda-metrics-apiserver
       name: keda-metrics-apiserver
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        runAsNonRoot: true
       serviceAccountName: keda-operator
       containers:
         - name: keda-metrics-apiserver
@@ -61,6 +66,13 @@ spec:
           volumeMounts:
           - mountPath: /tmp
             name: temp-vol
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            allowPrivilegeEscalation: false
+            ## Metrics server needs to write the self-signed cert so it's not possible set this
+            # readOnlyRootFilesystem: true
       nodeSelector:
         kubernetes.io/os: linux
       volumes: