Skip to content

Commit

Permalink
address vulnerabilities reported by a trivy scan of the running CAPL …
Browse files Browse the repository at this point in the history
…pods
  • Loading branch information
eljohnson92 committed Apr 22, 2024
1 parent 5c8770f commit 9ca7c9d
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 29 deletions.
6 changes: 4 additions & 2 deletions config/default/manager_auth_proxy_patch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,15 +11,17 @@ spec:
containers:
- name: kube-rbac-proxy
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsUser: 10999
runAsGroup: 10999
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=0"
ports:
- containerPort: 8443
Expand Down
33 changes: 6 additions & 27 deletions config/manager/manager.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,35 +36,11 @@ spec:
labels:
control-plane: controller-manager
spec:
# TODO(user): Uncomment the following code to configure the nodeAffinity expression
# according to the platforms which are supported by your solution.
# It is considered best practice to support multiple architectures. You can
# build your manager image using the makefile target docker-buildx.
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: kubernetes.io/arch
# operator: In
# values:
# - amd64
# - arm64
# - ppc64le
# - s390x
# - key: kubernetes.io/os
# operator: In
# values:
# - linux
securityContext:
fsGroup: 2000
runAsNonRoot: true
# TODO(user): For common cases that do not require escalating privileges
# it is recommended to ensure that all your Pods/Containers are restrictive.
# More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
# Please uncomment the following code if your project does NOT have to work on old Kubernetes
# versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
# seccompProfile:
# type: RuntimeDefault
seccompProfile:
type: RuntimeDefault
containers:
- command:
- /manager
Expand All @@ -81,7 +57,10 @@ spec:
value: v4beta
name: manager
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsUser: 10999
runAsGroup: 10999
capabilities:
drop:
- "ALL"
Expand Down

0 comments on commit 9ca7c9d

Please sign in to comment.