Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: Drop capabilities, set userid and enable seccomp #521

Merged
merged 2 commits into from
Jan 20, 2022
Merged

security: Drop capabilities, set userid and enable seccomp #521

merged 2 commits into from
Jan 20, 2022

Commits on Jan 19, 2022

  1. security: Drop capabilities and enable seccomp 

    Further restricts the SecurityContext that the controller runs under, by enabling the default seccomp profile and dropping all linux capabilities.
This was set at container-level to ensure backwards compatibility with
use cases in which sidecars are injected into the source-controller pod
without setting less restrictive settings.

BREAKING CHANGE: The use of new seccomp API requires Kubernetes 1.19.

Co-authored-by: Sanskar Jaiswal <sanskar.jaiswal@weave.works>
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
    Paulo Gomes and Sanskar Jaiswal committed Jan 19, 2022
    Configuration menu
    Copy the full SHA
    7b04b44 View commit details
    Browse the repository at this point in the history

  2. Enforce runAsNonRoot 

    BREAKING CHANGE: the controller container is now executed under 65534:65534 (userid:groupid). This change may break deployments that hard-coded the user name 'controller' in their PodSecurityPolicy.

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
    Paulo Gomes committed Jan 19, 2022
    Configuration menu
    Copy the full SHA
    9ba76a1 View commit details
    Browse the repository at this point in the history