Merge pull request #186 from winston0410/feat/make-controller-non-root

winston0410 · web-flow · commit 0676956213ab · 2024-07-04T13:29:54.000+01:00
make controller deployment run as nobody and nogroup
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
@@ -20,6 +20,15 @@ spec:
         - containerPort: 8443
           protocol: TCP
           name: https
+        securityContext:
+          runAsNonRoot: false
+          runAsGroup: 65534
+          runAsUser: 65534
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - ALL
         resources:
           limits:
             cpu: 500m
diff --git a/config/default/manager_auth_proxy_patch.yaml.template b/config/default/manager_auth_proxy_patch.yaml.template
@@ -20,6 +20,15 @@ spec:
         - containerPort: 8443
           protocol: TCP
           name: https
+        securityContext:
+          runAsNonRoot: false
+          runAsGroup: 65534
+          runAsUser: 65534
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - ALL
         resources:
           limits:
             cpu: 500m
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -25,6 +25,7 @@ spec:
         control-plane: controller-manager
     spec:
       securityContext:
+        fsGroup: 65534
         runAsNonRoot: true
       containers:
       - command:
@@ -34,7 +35,14 @@ spec:
         image: controller:latest
         name: manager
         securityContext:
+          runAsNonRoot: false
+          runAsGroup: 65534
+          runAsUser: 65534
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - ALL
         livenessProbe:
           httpGet:
             path: /healthz
