securityContext adjusted (#1261)

allow installation and execution in restricted namespaces Signed-off-by: Olli Hauer <ohauer@gmx.de>
bitnami-labs · Aug 7, 2023 · 458e260 · 458e260
1 parent a6bcb68
commit 458e260
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/controller-norbac.jsonnet b/controller-norbac.jsonnet
@@ -40,6 +40,11 @@ local namespace = 'kube-system';
         spec+: {
           securityContext+: {
             fsGroup: 65534,
+            runAsNonRoot: true,
+            runAsUser: 1001,
+            seccompProfile+: {
+              type: 'RuntimeDefault',
+            }
           },
           containers_+: {
             controller: kube.Container('sealed-secrets-controller') {
@@ -54,9 +59,11 @@ local namespace = 'kube-system';
                 http: { containerPort: 8080 },
               },
               securityContext+: {
+                allowPrivilegeEscalation: false,
+                capabilities+: {
+                  drop: [ 'ALL' ],
+                },
                 readOnlyRootFilesystem: true,
-                runAsNonRoot: true,
-                runAsUser: 1001,
               },
               volumeMounts_+: {
                 tmp: {