From bd966b895553435e0eef3460a0313ee0bdf97c7c Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 24 Sep 2024 16:00:03 +0800 Subject: [PATCH] set user group and user id for the default SecurityContext (#4313) set user group and user id Signed-off-by: Huabing Zhao --- .../templates/envoy-gateway-deployment.yaml | 2 ++ internal/infrastructure/kubernetes/proxy/resource.go | 10 ++++++++++ .../proxy/testdata/daemonsets/component-level.yaml | 4 ++++ .../kubernetes/proxy/testdata/daemonsets/custom.yaml | 2 ++ .../proxy/testdata/daemonsets/default-env.yaml | 2 ++ .../kubernetes/proxy/testdata/daemonsets/default.yaml | 4 ++++ .../proxy/testdata/daemonsets/disable-prometheus.yaml | 4 ++++ .../proxy/testdata/daemonsets/extension-env.yaml | 2 ++ .../daemonsets/override-labels-and-annotations.yaml | 4 ++++ .../proxy/testdata/daemonsets/patch-daemonset.yaml | 4 ++++ .../proxy/testdata/daemonsets/shutdown-manager.yaml | 3 +++ .../kubernetes/proxy/testdata/daemonsets/volumes.yaml | 2 ++ .../proxy/testdata/daemonsets/with-annotations.yaml | 4 ++++ .../proxy/testdata/daemonsets/with-concurrency.yaml | 4 ++++ .../proxy/testdata/daemonsets/with-extra-args.yaml | 4 ++++ .../testdata/daemonsets/with-image-pull-secrets.yaml | 4 ++++ .../proxy/testdata/daemonsets/with-name.yaml | 4 ++++ .../proxy/testdata/daemonsets/with-node-selector.yaml | 4 ++++ .../daemonsets/with-topology-spread-constraints.yaml | 4 ++++ .../proxy/testdata/deployments/bootstrap.yaml | 4 ++++ .../proxy/testdata/deployments/component-level.yaml | 4 ++++ .../kubernetes/proxy/testdata/deployments/custom.yaml | 2 ++ .../deployments/custom_with_initcontainers.yaml | 2 ++ .../proxy/testdata/deployments/default-env.yaml | 2 ++ .../kubernetes/proxy/testdata/deployments/default.yaml | 4 ++++ .../proxy/testdata/deployments/disable-prometheus.yaml | 4 ++++ .../proxy/testdata/deployments/extension-env.yaml | 2 ++ .../deployments/override-labels-and-annotations.yaml | 4 ++++ .../proxy/testdata/deployments/patch-deployment.yaml | 4 ++++ .../proxy/testdata/deployments/shutdown-manager.yaml | 3 +++ .../kubernetes/proxy/testdata/deployments/volumes.yaml | 2 ++ .../proxy/testdata/deployments/with-annotations.yaml | 4 ++++ .../proxy/testdata/deployments/with-concurrency.yaml | 4 ++++ .../testdata/deployments/with-empty-memory-limits.yaml | 4 ++++ .../proxy/testdata/deployments/with-extra-args.yaml | 4 ++++ .../testdata/deployments/with-image-pull-secrets.yaml | 4 ++++ .../proxy/testdata/deployments/with-name.yaml | 4 ++++ .../proxy/testdata/deployments/with-node-selector.yaml | 4 ++++ .../deployments/with-topology-spread-constraints.yaml | 4 ++++ .../gateway-helm/certjen-custom-scheduling.out.yaml | 2 ++ test/helm/gateway-helm/control-plane-with-pdb.out.yaml | 2 ++ test/helm/gateway-helm/default-config.out.yaml | 2 ++ .../gateway-helm/deployment-custom-topology.out.yaml | 2 ++ .../gateway-helm/deployment-images-config.out.yaml | 2 ++ test/helm/gateway-helm/envoy-gateway-config.out.yaml | 2 ++ test/helm/gateway-helm/global-images-config.out.yaml | 2 ++ 46 files changed, 154 insertions(+) diff --git a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml index 7d631f17289..af5cd116961 100644 --- a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml @@ -82,6 +82,8 @@ spec: - ALL privileged: false runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 seccompProfile: type: RuntimeDefault volumeMounts: diff --git a/internal/infrastructure/kubernetes/proxy/resource.go b/internal/infrastructure/kubernetes/proxy/resource.go index 32ca695e5da..d4d210418b7 100644 --- a/internal/infrastructure/kubernetes/proxy/resource.go +++ b/internal/infrastructure/kubernetes/proxy/resource.go @@ -447,6 +447,11 @@ func expectedEnvoySecurityContext(containerSpec *egv1a1.KubernetesContainerSpec) } sc := resource.DefaultSecurityContext() + + // run as non-root user + sc.RunAsGroup = ptr.To(int64(65532)) + sc.RunAsUser = ptr.To(int64(65532)) + // Envoy container needs to write to the log file/UDS socket. sc.ReadOnlyRootFilesystem = nil return sc @@ -454,6 +459,11 @@ func expectedEnvoySecurityContext(containerSpec *egv1a1.KubernetesContainerSpec) func expectedShutdownManagerSecurityContext() *corev1.SecurityContext { sc := resource.DefaultSecurityContext() + + // run as non-root user + sc.RunAsGroup = ptr.To(int64(65532)) + sc.RunAsUser = ptr.To(int64(65532)) + // ShutdownManger creates a file to indicate the connection drain process is completed, // so it needs file write permission. sc.ReadOnlyRootFilesystem = nil diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml index b81eac520be..4f9107fb4d7 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml @@ -94,7 +94,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -168,7 +170,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index dd3d30cb87c..a3bad89951a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -347,7 +347,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml index 2756e0ac667..6afaa48eb50 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml @@ -346,7 +346,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml index cdecbf11acc..c55efd9a651 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml @@ -261,7 +261,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -335,7 +337,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml index cb14c7d0102..0190a032347 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml @@ -232,7 +232,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -306,7 +308,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml index 844e8c38b8a..59abefc9f7e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml @@ -350,7 +350,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml index 3e2631cf7a2..acf981d6eaf 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml @@ -270,7 +270,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -344,7 +346,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml index 894bd9597d4..6eaf679f35b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml @@ -261,7 +261,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -335,7 +337,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml index 04230b2f453..b4ff0f41c3b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml @@ -261,7 +261,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -345,6 +347,7 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true runAsUser: 1234 seccompProfile: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml index 74555834ecf..8707cd1289b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml @@ -350,7 +350,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml index 708f586ffc2..1288195935a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml @@ -266,7 +266,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -340,7 +342,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml index 10911bdec5d..aceabd683a3 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml @@ -94,7 +94,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -168,7 +170,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml index 558e51410c0..c4e4ef57509 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml @@ -263,7 +263,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -337,7 +339,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml index bb6d7bcebc5..a368ec3334e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml @@ -261,7 +261,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -335,7 +337,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml index 7df24d4b5c4..34d8438df3d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml @@ -261,7 +261,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -335,7 +337,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml index 6fb612dad30..aa6aba8b813 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml @@ -261,7 +261,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -335,7 +337,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml index cc863ceb2cd..a69ed0181ee 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml @@ -261,7 +261,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -335,7 +337,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml index 7c979810084..edbcf01d06f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml @@ -97,7 +97,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -171,7 +173,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml index b9076bc915f..6ac7da41299 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml @@ -98,7 +98,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -172,7 +174,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index b770e10c5ab..7825fe6a5d4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -352,7 +352,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index 3b7f4c13131..7c19b8404b4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -354,7 +354,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index 11fc90e2e6f..608be7b1164 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -351,7 +351,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml index a1efff9d450..7ab09dccee7 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml @@ -265,7 +265,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -339,7 +341,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml index cf2503cc142..8eba24a439e 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml @@ -236,7 +236,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -310,7 +312,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index 97f116c0620..2cb179ea5ce 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -355,7 +355,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml index 3f5c31be439..a2ad5c78026 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml @@ -274,7 +274,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -348,7 +350,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml index 725c4994a52..7e742ac47f0 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml @@ -265,7 +265,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -339,7 +341,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml index 4c6726cb54e..9abe8a6cae2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml @@ -265,7 +265,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -349,6 +351,7 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true runAsUser: 1234 seccompProfile: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index 4c5819a8786..b5fca7f2c29 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -355,7 +355,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml index f0a9014ec9f..c96b3d7a3da 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml @@ -270,7 +270,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -344,7 +346,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml index 2902e865bf2..3cafba40548 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml @@ -98,7 +98,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -172,7 +174,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml index cc950e452e9..001c2c627be 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml @@ -264,7 +264,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -338,7 +340,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml index d31d189e616..3a44833a244 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml @@ -267,7 +267,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -341,7 +343,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml index a60b4d2169e..ba938efc580 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml @@ -265,7 +265,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -339,7 +341,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml index 2dd44b08dd9..3b4404c54e4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml @@ -265,7 +265,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -339,7 +341,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml index 235b1e992f9..f8288066623 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml @@ -265,7 +265,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -339,7 +341,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml index 60fb354d5a7..1b3a530ce53 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml @@ -265,7 +265,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: @@ -339,7 +341,9 @@ spec: drop: - ALL privileged: false + runAsGroup: 65532 runAsNonRoot: true + runAsUser: 65532 seccompProfile: type: RuntimeDefault startupProbe: diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index c280e54ca94..096e1eb5561 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -429,6 +429,8 @@ spec: - ALL privileged: false runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 seccompProfile: type: RuntimeDefault volumeMounts: diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index 3db52f2bcbe..4c9a3d6cfdf 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -444,6 +444,8 @@ spec: - ALL privileged: false runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 seccompProfile: type: RuntimeDefault volumeMounts: diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index 0dd66b5c209..c830348f012 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -429,6 +429,8 @@ spec: - ALL privileged: false runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 seccompProfile: type: RuntimeDefault volumeMounts: diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index b9fc662515f..fd468b505f0 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -457,6 +457,8 @@ spec: - ALL privileged: false runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 seccompProfile: type: RuntimeDefault volumeMounts: diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index 4da6c9a57f3..aa5a36ff23d 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -429,6 +429,8 @@ spec: - ALL privileged: false runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 seccompProfile: type: RuntimeDefault volumeMounts: diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index 056a0bde7d0..aa91dacecc8 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -431,6 +431,8 @@ spec: - ALL privileged: false runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 seccompProfile: type: RuntimeDefault volumeMounts: diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index 5eea2055070..e18eecd7bc7 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -433,6 +433,8 @@ spec: - ALL privileged: false runAsNonRoot: true + runAsGroup: 65532 + runAsUser: 65532 seccompProfile: type: RuntimeDefault volumeMounts: