Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add securityContext defaults to deployment manifest
Browse files Browse the repository at this point in the history
This commit makes the deployment manifest comply with the "restricted"
PodSecurity Standard profile. Doing so allows capacitor to be deployed
to clusters enforcing this profile on the flux-system namespace without
the need for customization of the supplied manifests in this repository.
tjespers committed Jul 5, 2024
1 parent d8c8bc9 commit 434a38b
Showing 2 changed files with 25 additions and 3 deletions.
12 changes: 12 additions & 0 deletions deploy/helm/onechart-helm-values.yaml
Original file line number Diff line number Diff line change
@@ -8,3 +8,15 @@ probe:
resources:
ignoreLimits: true
serviceAccount: capacitor

securityContext:
runAsNonRoot: true
runAsUser: 100
runAsGroup: 101
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
16 changes: 13 additions & 3 deletions deploy/k8s/manifest.yaml
Original file line number Diff line number Diff line change
@@ -6,7 +6,7 @@ metadata:
name: capacitor
namespace: flux-system
labels:
helm.sh/chart: onechart-0.63.0
helm.sh/chart: onechart-0.69.0
app.kubernetes.io/name: onechart
app.kubernetes.io/instance: capacitor
app.kubernetes.io/managed-by: Helm
@@ -28,7 +28,7 @@ metadata:
name: capacitor
namespace: flux-system
labels:
helm.sh/chart: onechart-0.63.0
helm.sh/chart: onechart-0.69.0
app.kubernetes.io/name: onechart
app.kubernetes.io/instance: capacitor
app.kubernetes.io/managed-by: Helm
@@ -70,7 +70,17 @@ spec:
requests:
cpu: 200m
memory: 200Mi
securityContext: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 100
seccompProfile:
type: RuntimeDefault
initContainers: null
securityContext:
fsGroup: 999

0 comments on commit 434a38b

Please sign in to comment.