Skip to content

Commit e5942be

Browse files
rosmorosmo
authored
Merge pull request #99 from jawnsy/harden-security-context
Improve default security context settings
2 parents 1842863 + 9d4a5f0 commit e5942be

1 file changed

Lines changed: 22 additions & 0 deletions

File tree

deploy/autoneg.yaml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -236,7 +236,16 @@ spec:
236236
name: https
237237
securityContext:
238238
allowPrivilegeEscalation: false
239+
capabilities:
240+
drop:
241+
- ALL
239242
privileged: false
243+
readOnlyRootFilesystem: true
244+
runAsUser: 65532
245+
runAsGroup: 65532
246+
runAsNonRoot: true
247+
seccompProfile:
248+
type: RuntimeDefault
240249
- args:
241250
- --health-probe-bind-address=:8081
242251
- --metrics-bind-address=127.0.0.1:8080
@@ -267,9 +276,22 @@ spec:
267276
memory: 20Mi
268277
securityContext:
269278
allowPrivilegeEscalation: false
279+
capabilities:
280+
drop:
281+
- ALL
270282
privileged: false
283+
readOnlyRootFilesystem: true
284+
runAsUser: 65532
285+
runAsGroup: 65532
286+
runAsNonRoot: true
287+
seccompProfile:
288+
type: RuntimeDefault
271289
securityContext:
290+
runAsUser: 65532
291+
runAsGroup: 65532
272292
runAsNonRoot: true
293+
seccompProfile:
294+
type: RuntimeDefault
273295
nodeSelector:
274296
iam.gke.io/gke-metadata-server-enabled: "true"
275297
serviceAccountName: autoneg-controller-manager

0 commit comments

Comments
 (0)