Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add securityContext defaults to deployment manifest #111

Merged
merged 1 commit into from
Sep 25, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
feat: add securityContext defaults to deployment manifest
This commit makes the deployment manifest comply with the "restricted"
PodSecurity Standard profile. Doing so allows capacitor to be deployed
to clusters enforcing this profile on the flux-system namespace without
the need for customization of the supplied manifests in this repository.
tjespers committed Jul 5, 2024
commit 434a38b21eb9f9ef7d2f4cff566a62035f699d01
12 changes: 12 additions & 0 deletions deploy/helm/onechart-helm-values.yaml
Original file line number Diff line number Diff line change
@@ -8,3 +8,15 @@ probe:
resources:
ignoreLimits: true
serviceAccount: capacitor

securityContext:
runAsNonRoot: true
runAsUser: 100
runAsGroup: 101
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
16 changes: 13 additions & 3 deletions deploy/k8s/manifest.yaml
Original file line number Diff line number Diff line change
@@ -6,7 +6,7 @@ metadata:
name: capacitor
namespace: flux-system
labels:
helm.sh/chart: onechart-0.63.0
helm.sh/chart: onechart-0.69.0
app.kubernetes.io/name: onechart
app.kubernetes.io/instance: capacitor
app.kubernetes.io/managed-by: Helm
@@ -28,7 +28,7 @@ metadata:
name: capacitor
namespace: flux-system
labels:
helm.sh/chart: onechart-0.63.0
helm.sh/chart: onechart-0.69.0
app.kubernetes.io/name: onechart
app.kubernetes.io/instance: capacitor
app.kubernetes.io/managed-by: Helm
@@ -70,7 +70,17 @@ spec:
requests:
cpu: 200m
memory: 200Mi
securityContext: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 101
runAsNonRoot: true
runAsUser: 100
seccompProfile:
type: RuntimeDefault
initContainers: null
securityContext:
fsGroup: 999