Skip to content

Commit

Permalink
:sparkling: adding comment one the scaffolds to warn users about the …
Browse files Browse the repository at this point in the history 
…seccomp spec field usage
  • Loading branch information
Camila Macedo committed Jun 13, 2022
1 parent eea565c commit 4cfdd7f
Show file tree
Hide file tree
Showing 16 changed files with 120 additions and 64 deletions.
7 changes: 4 additions & 3 deletions ...mon/kustomize/v1/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,9 +57,10 @@ spec:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
16 changes: 11 additions & 5 deletions pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/manager/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,13 @@ spec:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# TODO(user): For common cases that do not require escalating privileges
# it is recommended to ensure that all your Pods/Containers are restrictive.
# More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
# Please uncomment the following code if your project does NOT have to work on old Kubernetes
# versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
# seccompProfile:
# type: RuntimeDefault
containers:
- command:
- /manager
Expand All @@ -85,9 +90,10 @@ spec:
name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
livenessProbe:
httpGet:
path: /healthz
Expand Down
7 changes: 4 additions & 3 deletions ...mon/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,9 +57,10 @@ spec:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
16 changes: 11 additions & 5 deletions pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/manager/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,13 @@ spec:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# TODO(user): For common cases that do not require escalating privileges
# it is recommended to ensure that all your Pods/Containers are restrictive.
# More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
# Please uncomment the following code if your project does NOT have to work on old Kubernetes
# versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
# seccompProfile:
# type: RuntimeDefault
containers:
- command:
- /manager
Expand All @@ -85,9 +90,10 @@ spec:
name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
livenessProbe:
httpGet:
path: /healthz
Expand Down
7 changes: 4 additions & 3 deletions testdata/project-v3-addon/config/default/manager_auth_proxy_patch.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,10 @@ spec:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
16 changes: 11 additions & 5 deletions testdata/project-v3-addon/config/manager/manager.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,13 @@ spec:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# TODO(user): For common cases that do not require escalating privileges
# it is recommended to ensure that all your Pods/Containers are restrictive.
# More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
# Please uncomment the following code if your project does NOT have to work on old Kubernetes
# versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
# seccompProfile:
# type: RuntimeDefault
containers:
- command:
- /manager
Expand All @@ -37,9 +42,10 @@ spec:
name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
livenessProbe:
httpGet:
path: /healthz
Expand Down
7 changes: 4 additions & 3 deletions testdata/project-v3-config/config/default/manager_auth_proxy_patch.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,10 @@ spec:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
16 changes: 11 additions & 5 deletions testdata/project-v3-config/config/manager/manager.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,18 +26,24 @@ spec:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# TODO(user): For common cases that do not require escalating privileges
# it is recommended to ensure that all your Pods/Containers are restrictive.
# More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
# Please uncomment the following code if your project does NOT have to work on old Kubernetes
# versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
# seccompProfile:
# type: RuntimeDefault
containers:
- command:
- /manager
image: controller:latest
name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
livenessProbe:
httpGet:
path: /healthz
Expand Down
7 changes: 4 additions & 3 deletions testdata/project-v3-multigroup/config/default/manager_auth_proxy_patch.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,10 @@ spec:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
16 changes: 11 additions & 5 deletions testdata/project-v3-multigroup/config/manager/manager.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,13 @@ spec:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# TODO(user): For common cases that do not require escalating privileges
# it is recommended to ensure that all your Pods/Containers are restrictive.
# More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
# Please uncomment the following code if your project does NOT have to work on old Kubernetes
# versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
# seccompProfile:
# type: RuntimeDefault
containers:
- command:
- /manager
Expand All @@ -37,9 +42,10 @@ spec:
name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
livenessProbe:
httpGet:
path: /healthz
Expand Down
7 changes: 4 additions & 3 deletions testdata/project-v3-v1beta1/config/default/manager_auth_proxy_patch.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,10 @@ spec:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
16 changes: 11 additions & 5 deletions testdata/project-v3-v1beta1/config/manager/manager.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,13 @@ spec:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# TODO(user): For common cases that do not require escalating privileges
# it is recommended to ensure that all your Pods/Containers are restrictive.
# More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
# Please uncomment the following code if your project does NOT have to work on old Kubernetes
# versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
# seccompProfile:
# type: RuntimeDefault
containers:
- command:
- /manager
Expand All @@ -37,9 +42,10 @@ spec:
name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
livenessProbe:
httpGet:
path: /healthz
Expand Down
7 changes: 4 additions & 3 deletions testdata/project-v3-with-kustomize-v2/config/default/manager_auth_proxy_patch.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,10 @@ spec:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
16 changes: 11 additions & 5 deletions testdata/project-v3-with-kustomize-v2/config/manager/manager.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,13 @@ spec:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# TODO(user): For common cases that do not require escalating privileges
# it is recommended to ensure that all your Pods/Containers are restrictive.
# More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
# Please uncomment the following code if your project does NOT have to work on old Kubernetes
# versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
# seccompProfile:
# type: RuntimeDefault
containers:
- command:
- /manager
Expand All @@ -37,9 +42,10 @@ spec:
name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
livenessProbe:
httpGet:
path: /healthz
Expand Down
7 changes: 4 additions & 3 deletions testdata/project-v3/config/default/manager_auth_proxy_patch.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,10 @@ spec:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
16 changes: 11 additions & 5 deletions testdata/project-v3/config/manager/manager.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,13 @@ spec:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# TODO(user): For common cases that do not require escalating privileges
# it is recommended to ensure that all your Pods/Containers are restrictive.
# More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
# Please uncomment the following code if your project does NOT have to work on old Kubernetes
# versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
# seccompProfile:
# type: RuntimeDefault
containers:
- command:
- /manager
Expand All @@ -37,9 +42,10 @@ spec:
name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
livenessProbe:
httpGet:
path: /healthz
Expand Down

0 comments on commit 4cfdd7f

Please sign in to comment.