diff --git a/apps/forwarder-vpp/forwarder.yaml b/apps/forwarder-vpp/forwarder.yaml index 5df26ed779d6..607f84fca7f1 100644 --- a/apps/forwarder-vpp/forwarder.yaml +++ b/apps/forwarder-vpp/forwarder.yaml @@ -24,6 +24,13 @@ spec: name: forwarder-vpp securityContext: privileged: true + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + capabilities: + drop: + - ALL + add: ["DAC_OVERRIDE", "SYS_ADMIN", "NET_ADMIN", "IPC_LOCK", "NET_RAW","SYS_PTRACE","SETGID"] env: - name: SPIFFE_ENDPOINT_SOCKET value: unix:///run/spire/sockets/agent.sock diff --git a/apps/nsmgr/nsmgr.yaml b/apps/nsmgr/nsmgr.yaml index 098de18dc742..9af937e887fa 100644 --- a/apps/nsmgr/nsmgr.yaml +++ b/apps/nsmgr/nsmgr.yaml @@ -16,6 +16,10 @@ spec: "spiffe.io/spiffe-id": "true" spec: serviceAccount: nsmgr-sa + securityContext: + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 containers: - image: ghcr.io/networkservicemesh/ci/cmd-nsmgr:5b232e8 imagePullPolicy: IfNotPresent @@ -81,6 +85,11 @@ spec: command: ["/bin/grpc-health-probe", "-spiffe", "-addr=:5001"] failureThreshold: 25 periodSeconds: 5 + securityContext: + capabilities: + drop: + - ALL + add: ["DAC_OVERRIDE"] - image: ghcr.io/networkservicemesh/ci/cmd-exclude-prefixes-k8s:454b980 imagePullPolicy: IfNotPresent name: exclude-prefixes @@ -94,6 +103,10 @@ spec: limits: memory: 40Mi cpu: 75m + securityContext: + capabilities: + drop: + - ALL volumes: - name: spire-agent-socket hostPath: