Skip to content

Commit

Permalink
Merge pull request #539 from aryan9600/aryan9600/security-context
Browse files Browse the repository at this point in the history 
Drop capabilities, enable seccomp and enforce runAsNonRoot
  • Loading branch information
@stefanprodan
stefanprodan authored Jan 20, 2022
2 parents 91e96a2 + c0d5eee commit 12d9fab
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 3 deletions.
4 changes: 1 addition & 3 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,7 @@ COPY --from=builder /workspace/kustomize-controller /usr/local/bin/
# https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-354316460
RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf

RUN addgroup -S controller && adduser -S controller -G controller

USER controller
USER 65534:65534

ENV GNUPGHOME=/tmp

Expand Down
6 changes: 6 additions & 0 deletions config/manager/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,12 @@ spec:
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: [ "ALL" ]
seccompProfile:
type: RuntimeDefault

ports:
- containerPort: 8080
name: http-prom
Expand Down

0 comments on commit 12d9fab

Please sign in to comment.