Skip to content

Commit

Permalink
✨ applying restrictive SCC for all conatiners produced by the tool
Browse files Browse the repository at this point in the history
  • Loading branch information
camilamacedo86 committed May 25, 2022
1 parent a2b2be2 commit 1bd3ffe
Show file tree
Hide file tree
Showing 37 changed files with 374 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,17 @@ metadata:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand All @@ -74,6 +83,11 @@ spec:
memory: 64Mi
{{- if not .ComponentConfig }}
- name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
args:
- "--health-probe-bind-address=:8081"
- "--metrics-bind-address=127.0.0.1:8080"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,17 @@ metadata:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
args:
- "--config=controller_manager_config.yaml"
volumeMounts:
Expand All @@ -58,6 +67,11 @@ spec:
subPath: controller_manager_config.yaml
volumes:
- name: manager-config
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
configMap:
name: manager-config
`
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,17 @@ metadata:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
ports:
- containerPort: 9443
name: webhook-server
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,8 @@ spec:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- command:
- /manager
Expand All @@ -83,6 +85,9 @@ spec:
name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
livenessProbe:
httpGet:
path: /healthz
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,17 @@ metadata:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,17 @@ metadata:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
args:
- "--config=controller_manager_config.yaml"
volumeMounts:
Expand All @@ -58,6 +67,11 @@ spec:
subPath: controller_manager_config.yaml
volumes:
- name: manager-config
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
configMap:
name: manager-config
`
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,17 @@ metadata:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
ports:
- containerPort: 9443
name: webhook-server
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,17 @@ metadata:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,17 @@ metadata:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
ports:
- containerPort: 9443
name: webhook-server
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,17 @@ metadata:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,17 @@ metadata:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
ports:
- containerPort: 9443
name: webhook-server
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,17 @@ metadata:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,17 @@ metadata:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
ports:
- containerPort: 9443
name: webhook-server
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,17 @@ metadata:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
9 changes: 9 additions & 0 deletions testdata/project-v2/config/default/manager_webhook_patch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,17 @@ metadata:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
ports:
- containerPort: 9443
name: webhook-server
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,17 @@ metadata:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand All @@ -28,6 +37,11 @@ spec:
cpu: 5m
memory: 64Mi
- name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
args:
- "--health-probe-bind-address=:8081"
- "--metrics-bind-address=127.0.0.1:8080"
Expand Down
14 changes: 14 additions & 0 deletions testdata/project-v3-addon/config/default/manager_config_patch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,17 @@ metadata:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
args:
- "--config=controller_manager_config.yaml"
volumeMounts:
Expand All @@ -16,5 +25,10 @@ spec:
subPath: controller_manager_config.yaml
volumes:
- name: manager-config
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
configMap:
name: manager-config
5 changes: 5 additions & 0 deletions testdata/project-v3-addon/config/manager/manager.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ spec:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- command:
- /manager
Expand All @@ -35,6 +37,9 @@ spec:
name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
livenessProbe:
httpGet:
path: /healthz
Expand Down
Loading

0 comments on commit 1bd3ffe

Please sign in to comment.