Add restricted-compliant security to kustomize yamls

kubernetes-sigs · Apr 17, 2024 · a4b1877 · a4b1877
1 parent ef82207
commit a4b1877
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/config/components/manager/manager.yaml b/config/components/manager/manager.yaml
@@ -17,6 +17,8 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+        seccompProfile:
+          type: "RuntimeDefault"
       containers:
       - command:
         - /manager
@@ -27,6 +29,9 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: false
+          capabilities:
+            drop: ["ALL"]
         livenessProbe:
           httpGet:
             path: /healthz

diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
@@ -20,3 +20,8 @@ spec:
         - containerPort: 8443
           protocol: TCP
           name: https
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: false
+          capabilities:
+            drop: ["ALL"]