Deploy webhook in pod admission restricted mode

Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
kubernetes-sigs · May 16, 2023 · 9f05407 · 9f05407
1 parent b692c69
commit 9f05407
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 0 deletions.
diff --git a/config/webhook/0-namespace.yaml b/config/webhook/0-namespace.yaml
@@ -2,3 +2,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: gateway-system
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/warn: restricted
diff --git a/config/webhook/admission_webhook.yaml b/config/webhook/admission_webhook.yaml
@@ -79,7 +79,16 @@ spec:
           mountPath: /etc/certs
           readOnly: true
         securityContext:
+          allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 65532
+          runAsGroup: 65532
+          capabilities: 
+            drop:
+              - "ALL"
+          seccompProfile:
+            type: RuntimeDefault
       volumes:
       - name: webhook-certs
         secret:

diff --git a/config/webhook/certificate_config.yaml b/config/webhook/certificate_config.yaml
@@ -100,11 +100,23 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 2000
+          runAsGroup: 2000
+          capabilities:
+            drop:
+              - "ALL"
+          seccompProfile:
+            type: RuntimeDefault
       restartPolicy: OnFailure
       serviceAccountName: gateway-api-admission
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+        runAsGroup: 2000
 ---
 apiVersion: batch/v1
 kind: Job
@@ -137,8 +149,20 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 2000
+          runAsGroup: 2000
+          capabilities:
+            drop:
+              - "ALL"
+          seccompProfile:
+            type: RuntimeDefault
       restartPolicy: OnFailure
       serviceAccountName: gateway-api-admission
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+        runAsGroup: 2000