From 01304665e7c04964ca2a5b7545fb2b1e6d5ad0d8 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Sat, 28 Dec 2019 09:50:21 -0800 Subject: [PATCH] [release-1.4] Add all securityContext fields in injected containers (#19832) * Add all securityContext fields in injected containers Fixes https://github.com/istio/istio/issues/17318 * Update injection unit tests Co-authored-by: Romain Lenglet --- .../helm/istio/files/injection-template.yaml | 49 ++++++++++++------- .../uninject/cronjob-with-app.yaml.injected | 15 ++++++ .../testdata/uninject/cronjob.yaml.injected | 14 ++++++ .../testdata/uninject/daemonset.yaml.injected | 14 ++++++ .../deploymentconfig-multi.yaml.injected | 14 ++++++ .../uninject/deploymentconfig.yaml.injected | 14 ++++++ .../uninject/enable-core-dump.yaml.injected | 23 +++++++++ .../cmd/testdata/uninject/job.yaml.injected | 14 ++++++ .../cmd/testdata/uninject/list.yaml.injected | 27 ++++++++++ .../cmd/testdata/uninject/pod.yaml.injected | 14 ++++++ .../uninject/replicaset.yaml.injected | 14 ++++++ .../replicationcontroller.yaml.injected | 14 ++++++ .../uninject/statefulset.yaml.injected | 14 ++++++ ...-with-flag-set-in-annotation.yaml.injected | 14 ++++++ ...ith-flag-unset-in-annotation.yaml.injected | 14 ++++++ .../app_probe/hello-probes.yaml.injected | 14 ++++++ .../app_probe/hello-readiness.yaml.injected | 14 ++++++ .../app_probe/https-probes.yaml.injected | 14 ++++++ .../inject/app_probe/named_port.yaml.injected | 14 ++++++ .../app_probe/one_container.yaml.injected | 14 ++++++ .../inject/app_probe/ready_live.yaml.injected | 14 ++++++ .../inject/app_probe/ready_only.yaml.injected | 14 ++++++ .../app_probe/two_container.yaml.injected | 14 ++++++ .../inject/auth.cert-dir.yaml.injected | 14 ++++++ ....non-default-service-account.yaml.injected | 14 ++++++ .../inject/testdata/inject/auth.yaml.injected | 14 ++++++ .../inject/cronjob-with-app.yaml.injected | 9 ++++ .../testdata/inject/cronjob.yaml.injected | 14 ++++++ .../testdata/inject/daemonset.yaml.injected | 14 ++++++ .../deploymentconfig-multi.yaml.injected | 14 ++++++ .../inject/deploymentconfig.yaml.injected | 14 ++++++ .../inject/enable-core-dump.yaml.injected | 23 +++++++++ .../inject/format-duration.yaml.injected | 14 ++++++ .../testdata/inject/frontend.yaml.injected | 14 ++++++ .../inject/hello-always.yaml.injected | 14 ++++++ .../hello-config-map-name.yaml.injected | 14 ++++++ .../inject/hello-ignore.yaml.injected | 14 ++++++ .../inject/hello-mtls-not-ready.yaml.injected | 14 ++++++ .../testdata/inject/hello-multi.yaml.injected | 28 +++++++++++ .../inject/hello-namespace.yaml.injected | 14 ++++++ .../testdata/inject/hello-never.yaml.injected | 14 ++++++ .../inject/hello-proxy-override.yaml.injected | 14 ++++++ .../hello-template-in-values.yaml.injected | 14 ++++++ .../inject/hello-tproxy-debug.yaml.injected | 15 +++++- .../inject/hello-tproxy.yaml.injected | 13 +++++ .../testdata/inject/hello.yaml.injected | 14 ++++++ .../inject/testdata/inject/job.yaml.injected | 14 ++++++ .../inject/kubevirtInterfaces.yaml.injected | 14 ++++++ .../kubevirtInterfaces_list.yaml.injected | 14 ++++++ .../inject/list-frontend.yaml.injected | 14 ++++++ .../inject/testdata/inject/list.yaml.injected | 28 +++++++++++ .../inject/multi-container.yaml.injected | 14 ++++++ .../testdata/inject/multi-init.yaml.injected | 14 ++++++ .../inject/pod-with-app.yaml.injected | 15 ++++++ .../inject/testdata/inject/pod.yaml.injected | 14 ++++++ .../testdata/inject/replicaset.yaml.injected | 14 ++++++ .../replicationcontroller.yaml.injected | 14 ++++++ .../testdata/inject/statefulset.yaml.injected | 14 ++++++ .../inject/status_annotations.yaml.injected | 14 ++++++ .../inject/status_params.yaml.injected | 14 ++++++ ...c-annotations-empty-includes.yaml.injected | 14 ++++++ ...raffic-annotations-wildcards.yaml.injected | 14 ++++++ .../inject/traffic-annotations.yaml.injected | 14 ++++++ ...raffic-params-empty-includes.yaml.injected | 14 ++++++ .../inject/traffic-params.yaml.injected | 14 ++++++ .../testdata/webhook/daemonset.yaml.injected | 14 ++++++ .../deploymentconfig-multi.yaml.injected | 14 ++++++ .../webhook/deploymentconfig.yaml.injected | 14 ++++++ .../testdata/webhook/frontend.yaml.injected | 14 ++++++ .../hello-config-map-name.yaml.injected | 14 ++++++ .../hello-mtls-not-ready.yaml.injected | 14 ++++++ .../webhook/hello-multi.yaml.injected | 28 +++++++++++ .../webhook/hello-probes.yaml.injected | 14 ++++++ .../inject/testdata/webhook/job.yaml.injected | 14 ++++++ .../webhook/list-frontend.yaml.injected | 14 ++++++ .../testdata/webhook/list.yaml.injected | 28 +++++++++++ .../testdata/webhook/multi-init.yaml.injected | 18 ++++++- .../testdata/webhook/replicaset.yaml.injected | 14 ++++++ .../replicationcontroller.yaml.injected | 14 ++++++ .../resource_annotations.yaml.injected | 14 ++++++ .../webhook/statefulset.yaml.injected | 14 ++++++ .../webhook/status_annotations.yaml.injected | 14 ++++++ ...c-annotations-empty-includes.yaml.injected | 14 ++++++ ...raffic-annotations-wildcards.yaml.injected | 14 ++++++ .../webhook/traffic-annotations.yaml.injected | 14 ++++++ .../webhook/user-volume.yaml.injected | 14 ++++++ 86 files changed, 1306 insertions(+), 21 deletions(-) diff --git a/install/kubernetes/helm/istio/files/injection-template.yaml b/install/kubernetes/helm/istio/files/injection-template.yaml index 7cbf4df5d435..b8da3237f776 100644 --- a/install/kubernetes/helm/istio/files/injection-template.yaml +++ b/install/kubernetes/helm/istio/files/injection-template.yaml @@ -43,14 +43,18 @@ initContainers: resources: {} {{- end }} securityContext: - runAsUser: 0 - runAsNonRoot: false + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} capabilities: add: - NET_ADMIN - {{- if .Values.global.proxy.privileged }} - privileged: true - {{- end }} + - NET_RAW + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 restartPolicy: Always {{- end }} {{ end -}} @@ -65,9 +69,17 @@ initContainers: imagePullPolicy: IfNotPresent resources: {} securityContext: - runAsUser: 0 - runAsNonRoot: false + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 {{ end }} {{- end }} containers: @@ -288,21 +300,22 @@ containers: failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} {{ end -}} securityContext: - {{- if .Values.global.proxy.privileged }} - privileged: true - {{- end }} - {{- if ne .Values.global.proxy.enableCoreDump true }} - readOnlyRootFilesystem: true - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} capabilities: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} add: - NET_ADMIN + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} runAsGroup: 1337 - {{ else -}} - {{ if .Values.global.sds.enabled }} - runAsGroup: 1337 - {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true runAsUser: 1337 {{- end }} resources: diff --git a/istioctl/cmd/testdata/uninject/cronjob-with-app.yaml.injected b/istioctl/cmd/testdata/uninject/cronjob-with-app.yaml.injected index a9375900a86b..beace2fe1db4 100644 --- a/istioctl/cmd/testdata/uninject/cronjob-with-app.yaml.injected +++ b/istioctl/cmd/testdata/uninject/cronjob-with-app.yaml.injected @@ -80,8 +80,14 @@ spec: cpu: 10m memory: 30Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -110,9 +116,18 @@ spec: name: istio-init resources: {} securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 restartPolicy: OnFailure volumes: - emptyDir: diff --git a/istioctl/cmd/testdata/uninject/cronjob.yaml.injected b/istioctl/cmd/testdata/uninject/cronjob.yaml.injected index d53b111571b9..9c8f2de5c5f3 100644 --- a/istioctl/cmd/testdata/uninject/cronjob.yaml.injected +++ b/istioctl/cmd/testdata/uninject/cronjob.yaml.injected @@ -102,7 +102,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -137,9 +144,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 restartPolicy: OnFailure diff --git a/istioctl/cmd/testdata/uninject/daemonset.yaml.injected b/istioctl/cmd/testdata/uninject/daemonset.yaml.injected index 09a8d236f923..74ed61522a30 100644 --- a/istioctl/cmd/testdata/uninject/daemonset.yaml.injected +++ b/istioctl/cmd/testdata/uninject/daemonset.yaml.injected @@ -107,7 +107,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -142,9 +149,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/istioctl/cmd/testdata/uninject/deploymentconfig-multi.yaml.injected b/istioctl/cmd/testdata/uninject/deploymentconfig-multi.yaml.injected index 37020dfde9c8..d12dd492f44b 100644 --- a/istioctl/cmd/testdata/uninject/deploymentconfig-multi.yaml.injected +++ b/istioctl/cmd/testdata/uninject/deploymentconfig-multi.yaml.injected @@ -126,7 +126,14 @@ items: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -161,9 +168,16 @@ items: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/istioctl/cmd/testdata/uninject/deploymentconfig.yaml.injected b/istioctl/cmd/testdata/uninject/deploymentconfig.yaml.injected index b5e7f8d7a0cd..6f2f1fb5e5ae 100644 --- a/istioctl/cmd/testdata/uninject/deploymentconfig.yaml.injected +++ b/istioctl/cmd/testdata/uninject/deploymentconfig.yaml.injected @@ -111,7 +111,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -146,9 +153,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/istioctl/cmd/testdata/uninject/enable-core-dump.yaml.injected b/istioctl/cmd/testdata/uninject/enable-core-dump.yaml.injected index 2c1394d4eaf6..bc0ccebfa8b9 100644 --- a/istioctl/cmd/testdata/uninject/enable-core-dump.yaml.injected +++ b/istioctl/cmd/testdata/uninject/enable-core-dump.yaml.injected @@ -112,6 +112,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -146,9 +154,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 - args: @@ -161,7 +176,15 @@ spec: name: enable-core-dump resources: {} securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/istioctl/cmd/testdata/uninject/job.yaml.injected b/istioctl/cmd/testdata/uninject/job.yaml.injected index f80e1bf30f83..58e39b64aabd 100644 --- a/istioctl/cmd/testdata/uninject/job.yaml.injected +++ b/istioctl/cmd/testdata/uninject/job.yaml.injected @@ -100,7 +100,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -135,9 +142,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 restartPolicy: Never diff --git a/istioctl/cmd/testdata/uninject/list.yaml.injected b/istioctl/cmd/testdata/uninject/list.yaml.injected index 8a89884de596..f804bd9567ba 100644 --- a/istioctl/cmd/testdata/uninject/list.yaml.injected +++ b/istioctl/cmd/testdata/uninject/list.yaml.injected @@ -117,7 +117,14 @@ items: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -156,9 +163,16 @@ items: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: @@ -291,7 +305,14 @@ items: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -326,9 +347,15 @@ items: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/istioctl/cmd/testdata/uninject/pod.yaml.injected b/istioctl/cmd/testdata/uninject/pod.yaml.injected index 418a58297101..84af0ec85c03 100644 --- a/istioctl/cmd/testdata/uninject/pod.yaml.injected +++ b/istioctl/cmd/testdata/uninject/pod.yaml.injected @@ -95,7 +95,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -135,9 +142,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/istioctl/cmd/testdata/uninject/replicaset.yaml.injected b/istioctl/cmd/testdata/uninject/replicaset.yaml.injected index aa69296989b7..c3d422b3c518 100644 --- a/istioctl/cmd/testdata/uninject/replicaset.yaml.injected +++ b/istioctl/cmd/testdata/uninject/replicaset.yaml.injected @@ -108,7 +108,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -143,9 +150,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/istioctl/cmd/testdata/uninject/replicationcontroller.yaml.injected b/istioctl/cmd/testdata/uninject/replicationcontroller.yaml.injected index 2a9a8d232d92..ee3a6874cb9f 100644 --- a/istioctl/cmd/testdata/uninject/replicationcontroller.yaml.injected +++ b/istioctl/cmd/testdata/uninject/replicationcontroller.yaml.injected @@ -107,7 +107,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -142,9 +149,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/istioctl/cmd/testdata/uninject/statefulset.yaml.injected b/istioctl/cmd/testdata/uninject/statefulset.yaml.injected index a35ee165eecc..953feab0b7ee 100644 --- a/istioctl/cmd/testdata/uninject/statefulset.yaml.injected +++ b/istioctl/cmd/testdata/uninject/statefulset.yaml.injected @@ -116,7 +116,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -151,9 +158,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/app_probe/hello-probes-with-flag-set-in-annotation.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/hello-probes-with-flag-set-in-annotation.yaml.injected index 9c2a6caa10f6..b9d3ea3dec8a 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/hello-probes-with-flag-set-in-annotation.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/hello-probes-with-flag-set-in-annotation.yaml.injected @@ -160,7 +160,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -198,9 +205,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/app_probe/hello-probes-with-flag-unset-in-annotation.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/hello-probes-with-flag-unset-in-annotation.yaml.injected index facd62115dcb..1f027ee8f509 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/hello-probes-with-flag-unset-in-annotation.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/hello-probes-with-flag-unset-in-annotation.yaml.injected @@ -155,7 +155,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -193,9 +200,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/app_probe/hello-probes.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/hello-probes.yaml.injected index 9a6f4b24ef63..3b4db9c784c2 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/hello-probes.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/hello-probes.yaml.injected @@ -156,7 +156,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -194,9 +201,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/app_probe/hello-readiness.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/hello-readiness.yaml.injected index bc9f4b625fe8..e7a1f23be920 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/hello-readiness.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/hello-readiness.yaml.injected @@ -136,7 +136,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -174,9 +181,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/app_probe/https-probes.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/https-probes.yaml.injected index 0288af46ba40..7035e51f1c50 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/https-probes.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/https-probes.yaml.injected @@ -157,7 +157,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -195,9 +202,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/app_probe/named_port.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/named_port.yaml.injected index d52752f841b6..3829841fb884 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/named_port.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/named_port.yaml.injected @@ -136,7 +136,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -174,9 +181,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/app_probe/one_container.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/one_container.yaml.injected index 97fbb05170fb..6de62cf7244e 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/one_container.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/one_container.yaml.injected @@ -140,7 +140,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -178,9 +185,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/app_probe/ready_live.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/ready_live.yaml.injected index 9a6f4b24ef63..3b4db9c784c2 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/ready_live.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/ready_live.yaml.injected @@ -156,7 +156,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -194,9 +201,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/app_probe/ready_only.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/ready_only.yaml.injected index 1f5b37da69fb..05b23111a7e9 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/ready_only.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/ready_only.yaml.injected @@ -136,7 +136,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -174,9 +181,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/app_probe/two_container.yaml.injected b/pkg/kube/inject/testdata/inject/app_probe/two_container.yaml.injected index 26bab3792447..3b7b3e125bc9 100644 --- a/pkg/kube/inject/testdata/inject/app_probe/two_container.yaml.injected +++ b/pkg/kube/inject/testdata/inject/app_probe/two_container.yaml.injected @@ -147,7 +147,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -185,9 +192,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/auth.cert-dir.yaml.injected b/pkg/kube/inject/testdata/inject/auth.cert-dir.yaml.injected index d57176756a11..d6d7fcd7f885 100644 --- a/pkg/kube/inject/testdata/inject/auth.cert-dir.yaml.injected +++ b/pkg/kube/inject/testdata/inject/auth.cert-dir.yaml.injected @@ -131,7 +131,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -169,9 +176,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/auth.non-default-service-account.yaml.injected b/pkg/kube/inject/testdata/inject/auth.non-default-service-account.yaml.injected index 9e520e34612e..a891c219a0c7 100644 --- a/pkg/kube/inject/testdata/inject/auth.non-default-service-account.yaml.injected +++ b/pkg/kube/inject/testdata/inject/auth.non-default-service-account.yaml.injected @@ -131,7 +131,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -169,9 +176,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 serviceAccountName: non-default diff --git a/pkg/kube/inject/testdata/inject/auth.yaml.injected b/pkg/kube/inject/testdata/inject/auth.yaml.injected index d57176756a11..d6d7fcd7f885 100644 --- a/pkg/kube/inject/testdata/inject/auth.yaml.injected +++ b/pkg/kube/inject/testdata/inject/auth.yaml.injected @@ -131,7 +131,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -169,9 +176,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/cronjob-with-app.yaml.injected b/pkg/kube/inject/testdata/inject/cronjob-with-app.yaml.injected index 588130058662..8b8a239ea063 100644 --- a/pkg/kube/inject/testdata/inject/cronjob-with-app.yaml.injected +++ b/pkg/kube/inject/testdata/inject/cronjob-with-app.yaml.injected @@ -107,9 +107,18 @@ spec: name: istio-init resources: {} securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 restartPolicy: OnFailure volumes: - emptyDir: diff --git a/pkg/kube/inject/testdata/inject/cronjob.yaml.injected b/pkg/kube/inject/testdata/inject/cronjob.yaml.injected index b702234c6f54..277dede9968c 100644 --- a/pkg/kube/inject/testdata/inject/cronjob.yaml.injected +++ b/pkg/kube/inject/testdata/inject/cronjob.yaml.injected @@ -120,7 +120,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -158,9 +165,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 restartPolicy: OnFailure diff --git a/pkg/kube/inject/testdata/inject/daemonset.yaml.injected b/pkg/kube/inject/testdata/inject/daemonset.yaml.injected index 3a98686eeb46..bf581aebd277 100644 --- a/pkg/kube/inject/testdata/inject/daemonset.yaml.injected +++ b/pkg/kube/inject/testdata/inject/daemonset.yaml.injected @@ -129,7 +129,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -167,9 +174,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/deploymentconfig-multi.yaml.injected b/pkg/kube/inject/testdata/inject/deploymentconfig-multi.yaml.injected index f42ea77a6b49..6ae65f2dfd53 100644 --- a/pkg/kube/inject/testdata/inject/deploymentconfig-multi.yaml.injected +++ b/pkg/kube/inject/testdata/inject/deploymentconfig-multi.yaml.injected @@ -144,7 +144,14 @@ items: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -182,9 +189,16 @@ items: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/deploymentconfig.yaml.injected b/pkg/kube/inject/testdata/inject/deploymentconfig.yaml.injected index 274d279ae45b..23a00d0aee75 100644 --- a/pkg/kube/inject/testdata/inject/deploymentconfig.yaml.injected +++ b/pkg/kube/inject/testdata/inject/deploymentconfig.yaml.injected @@ -129,7 +129,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -167,9 +174,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/enable-core-dump.yaml.injected b/pkg/kube/inject/testdata/inject/enable-core-dump.yaml.injected index 6d154e0d10e1..796368ff3289 100644 --- a/pkg/kube/inject/testdata/inject/enable-core-dump.yaml.injected +++ b/pkg/kube/inject/testdata/inject/enable-core-dump.yaml.injected @@ -131,6 +131,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -168,9 +176,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 - args: @@ -183,7 +198,15 @@ spec: name: enable-core-dump resources: {} securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/format-duration.yaml.injected b/pkg/kube/inject/testdata/inject/format-duration.yaml.injected index f6aff8c1597b..8a03422b70bf 100644 --- a/pkg/kube/inject/testdata/inject/format-duration.yaml.injected +++ b/pkg/kube/inject/testdata/inject/format-duration.yaml.injected @@ -131,7 +131,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -169,9 +176,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/frontend.yaml.injected b/pkg/kube/inject/testdata/inject/frontend.yaml.injected index 7d20b419679a..f84e03c30e47 100644 --- a/pkg/kube/inject/testdata/inject/frontend.yaml.injected +++ b/pkg/kube/inject/testdata/inject/frontend.yaml.injected @@ -146,7 +146,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -184,9 +191,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/hello-always.yaml.injected b/pkg/kube/inject/testdata/inject/hello-always.yaml.injected index 6623814ef6b7..6b511c40ad41 100644 --- a/pkg/kube/inject/testdata/inject/hello-always.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-always.yaml.injected @@ -131,7 +131,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -169,9 +176,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/hello-config-map-name.yaml.injected b/pkg/kube/inject/testdata/inject/hello-config-map-name.yaml.injected index d57176756a11..d6d7fcd7f885 100644 --- a/pkg/kube/inject/testdata/inject/hello-config-map-name.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-config-map-name.yaml.injected @@ -131,7 +131,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -169,9 +176,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/hello-ignore.yaml.injected b/pkg/kube/inject/testdata/inject/hello-ignore.yaml.injected index d086a88401b6..931cd9f6be3d 100644 --- a/pkg/kube/inject/testdata/inject/hello-ignore.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-ignore.yaml.injected @@ -135,7 +135,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -173,9 +180,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/hello-mtls-not-ready.yaml.injected b/pkg/kube/inject/testdata/inject/hello-mtls-not-ready.yaml.injected index 2982fc9c42fe..b7c2f596355c 100644 --- a/pkg/kube/inject/testdata/inject/hello-mtls-not-ready.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-mtls-not-ready.yaml.injected @@ -131,7 +131,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -169,9 +176,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/hello-multi.yaml.injected b/pkg/kube/inject/testdata/inject/hello-multi.yaml.injected index e74619f5d735..ce51b332c820 100644 --- a/pkg/kube/inject/testdata/inject/hello-multi.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-multi.yaml.injected @@ -133,7 +133,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -171,9 +178,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: @@ -321,7 +335,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -359,9 +380,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/hello-namespace.yaml.injected b/pkg/kube/inject/testdata/inject/hello-namespace.yaml.injected index e513e57c088a..2173730bd6a0 100644 --- a/pkg/kube/inject/testdata/inject/hello-namespace.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-namespace.yaml.injected @@ -132,7 +132,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -170,9 +177,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/hello-never.yaml.injected b/pkg/kube/inject/testdata/inject/hello-never.yaml.injected index 549ae24b7131..67562b4aabd3 100644 --- a/pkg/kube/inject/testdata/inject/hello-never.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-never.yaml.injected @@ -131,7 +131,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -169,9 +176,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/hello-proxy-override.yaml.injected b/pkg/kube/inject/testdata/inject/hello-proxy-override.yaml.injected index 9fc675d9db7e..c19d3e43c0ac 100644 --- a/pkg/kube/inject/testdata/inject/hello-proxy-override.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-proxy-override.yaml.injected @@ -135,7 +135,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -173,9 +180,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/hello-template-in-values.yaml.injected b/pkg/kube/inject/testdata/inject/hello-template-in-values.yaml.injected index 1a04d6a5fbc2..e44d4bfdac68 100644 --- a/pkg/kube/inject/testdata/inject/hello-template-in-values.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-template-in-values.yaml.injected @@ -131,7 +131,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -173,9 +180,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/hello-tproxy-debug.yaml.injected b/pkg/kube/inject/testdata/inject/hello-tproxy-debug.yaml.injected index af71f4b0adf7..92d4e7e730f8 100644 --- a/pkg/kube/inject/testdata/inject/hello-tproxy-debug.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-tproxy-debug.yaml.injected @@ -89,12 +89,17 @@ spec: cpu: 10m memory: 30Mi securityContext: + allowPrivilegeEscalation: true capabilities: add: - NET_ADMIN + drop: + - ALL privileged: true readOnlyRootFilesystem: false - runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 volumeMounts: - mountPath: /etc/istio/proxy name: istio-envoy @@ -122,10 +127,18 @@ spec: name: istio-init resources: {} securityContext: + allowPrivilegeEscalation: true capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 volumes: - emptyDir: medium: Memory diff --git a/pkg/kube/inject/testdata/inject/hello-tproxy.yaml.injected b/pkg/kube/inject/testdata/inject/hello-tproxy.yaml.injected index 20318c9edc1f..c117b5e9b83b 100644 --- a/pkg/kube/inject/testdata/inject/hello-tproxy.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello-tproxy.yaml.injected @@ -118,11 +118,17 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + drop: + - ALL + privileged: false readOnlyRootFilesystem: true runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 volumeMounts: - mountPath: /etc/istio/proxy name: istio-envoy @@ -159,9 +165,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/hello.yaml.injected b/pkg/kube/inject/testdata/inject/hello.yaml.injected index d57176756a11..d6d7fcd7f885 100644 --- a/pkg/kube/inject/testdata/inject/hello.yaml.injected +++ b/pkg/kube/inject/testdata/inject/hello.yaml.injected @@ -131,7 +131,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -169,9 +176,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/job.yaml.injected b/pkg/kube/inject/testdata/inject/job.yaml.injected index b2e204a63529..7ec05e08a24a 100644 --- a/pkg/kube/inject/testdata/inject/job.yaml.injected +++ b/pkg/kube/inject/testdata/inject/job.yaml.injected @@ -118,7 +118,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -156,9 +163,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 restartPolicy: Never diff --git a/pkg/kube/inject/testdata/inject/kubevirtInterfaces.yaml.injected b/pkg/kube/inject/testdata/inject/kubevirtInterfaces.yaml.injected index 0c0fdf3b13cf..99e9bbe5028f 100644 --- a/pkg/kube/inject/testdata/inject/kubevirtInterfaces.yaml.injected +++ b/pkg/kube/inject/testdata/inject/kubevirtInterfaces.yaml.injected @@ -135,7 +135,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -175,9 +182,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/kubevirtInterfaces_list.yaml.injected b/pkg/kube/inject/testdata/inject/kubevirtInterfaces_list.yaml.injected index 011f8b6e22be..e8ac0ccae972 100644 --- a/pkg/kube/inject/testdata/inject/kubevirtInterfaces_list.yaml.injected +++ b/pkg/kube/inject/testdata/inject/kubevirtInterfaces_list.yaml.injected @@ -135,7 +135,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -175,9 +182,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/list-frontend.yaml.injected b/pkg/kube/inject/testdata/inject/list-frontend.yaml.injected index a0601ce5f85a..5dda501e723d 100644 --- a/pkg/kube/inject/testdata/inject/list-frontend.yaml.injected +++ b/pkg/kube/inject/testdata/inject/list-frontend.yaml.injected @@ -147,7 +147,14 @@ items: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -185,9 +192,16 @@ items: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/list.yaml.injected b/pkg/kube/inject/testdata/inject/list.yaml.injected index 50ad67f8ca97..2a3b3795d617 100644 --- a/pkg/kube/inject/testdata/inject/list.yaml.injected +++ b/pkg/kube/inject/testdata/inject/list.yaml.injected @@ -135,7 +135,14 @@ items: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -173,9 +180,16 @@ items: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: @@ -322,7 +336,14 @@ items: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -360,9 +381,16 @@ items: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/multi-container.yaml.injected b/pkg/kube/inject/testdata/inject/multi-container.yaml.injected index b7ca088c02af..79d0da058808 100644 --- a/pkg/kube/inject/testdata/inject/multi-container.yaml.injected +++ b/pkg/kube/inject/testdata/inject/multi-container.yaml.injected @@ -133,7 +133,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -171,9 +178,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/multi-init.yaml.injected b/pkg/kube/inject/testdata/inject/multi-init.yaml.injected index d3421decfedf..b550ecf84048 100644 --- a/pkg/kube/inject/testdata/inject/multi-init.yaml.injected +++ b/pkg/kube/inject/testdata/inject/multi-init.yaml.injected @@ -131,7 +131,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -183,9 +190,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/pod-with-app.yaml.injected b/pkg/kube/inject/testdata/inject/pod-with-app.yaml.injected index d295cea9560d..52ba6cdb7098 100644 --- a/pkg/kube/inject/testdata/inject/pod-with-app.yaml.injected +++ b/pkg/kube/inject/testdata/inject/pod-with-app.yaml.injected @@ -73,8 +73,14 @@ spec: cpu: 10m memory: 30Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -103,9 +109,18 @@ spec: name: istio-init resources: {} securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 volumes: - emptyDir: medium: Memory diff --git a/pkg/kube/inject/testdata/inject/pod.yaml.injected b/pkg/kube/inject/testdata/inject/pod.yaml.injected index 32a18a660409..42e405350334 100644 --- a/pkg/kube/inject/testdata/inject/pod.yaml.injected +++ b/pkg/kube/inject/testdata/inject/pod.yaml.injected @@ -114,7 +114,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -152,9 +159,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/replicaset.yaml.injected b/pkg/kube/inject/testdata/inject/replicaset.yaml.injected index 139249ca2fc0..4ca0f576ffca 100644 --- a/pkg/kube/inject/testdata/inject/replicaset.yaml.injected +++ b/pkg/kube/inject/testdata/inject/replicaset.yaml.injected @@ -126,7 +126,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -164,9 +171,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/replicationcontroller.yaml.injected b/pkg/kube/inject/testdata/inject/replicationcontroller.yaml.injected index fd4890022dc0..d038354d7dfd 100644 --- a/pkg/kube/inject/testdata/inject/replicationcontroller.yaml.injected +++ b/pkg/kube/inject/testdata/inject/replicationcontroller.yaml.injected @@ -125,7 +125,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -163,9 +170,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/statefulset.yaml.injected b/pkg/kube/inject/testdata/inject/statefulset.yaml.injected index 4d8029844a86..91aea4242f41 100644 --- a/pkg/kube/inject/testdata/inject/statefulset.yaml.injected +++ b/pkg/kube/inject/testdata/inject/statefulset.yaml.injected @@ -134,7 +134,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -172,9 +179,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/status_annotations.yaml.injected b/pkg/kube/inject/testdata/inject/status_annotations.yaml.injected index d83f1ac1ce1a..7fcc488d5ec8 100644 --- a/pkg/kube/inject/testdata/inject/status_annotations.yaml.injected +++ b/pkg/kube/inject/testdata/inject/status_annotations.yaml.injected @@ -135,7 +135,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -173,9 +180,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/status_params.yaml.injected b/pkg/kube/inject/testdata/inject/status_params.yaml.injected index 64e6e0094f82..bf7be2f731b5 100644 --- a/pkg/kube/inject/testdata/inject/status_params.yaml.injected +++ b/pkg/kube/inject/testdata/inject/status_params.yaml.injected @@ -127,7 +127,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -165,9 +172,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/traffic-annotations-empty-includes.yaml.injected b/pkg/kube/inject/testdata/inject/traffic-annotations-empty-includes.yaml.injected index 63388e167441..52ffd1b335df 100644 --- a/pkg/kube/inject/testdata/inject/traffic-annotations-empty-includes.yaml.injected +++ b/pkg/kube/inject/testdata/inject/traffic-annotations-empty-includes.yaml.injected @@ -130,7 +130,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -168,9 +175,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/traffic-annotations-wildcards.yaml.injected b/pkg/kube/inject/testdata/inject/traffic-annotations-wildcards.yaml.injected index 07024f8da3ff..f202f734e7ca 100644 --- a/pkg/kube/inject/testdata/inject/traffic-annotations-wildcards.yaml.injected +++ b/pkg/kube/inject/testdata/inject/traffic-annotations-wildcards.yaml.injected @@ -131,7 +131,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -169,9 +176,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/traffic-annotations.yaml.injected b/pkg/kube/inject/testdata/inject/traffic-annotations.yaml.injected index 5abd827dde17..334ec8a60799 100644 --- a/pkg/kube/inject/testdata/inject/traffic-annotations.yaml.injected +++ b/pkg/kube/inject/testdata/inject/traffic-annotations.yaml.injected @@ -132,7 +132,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -172,9 +179,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/traffic-params-empty-includes.yaml.injected b/pkg/kube/inject/testdata/inject/traffic-params-empty-includes.yaml.injected index 3dd365c6e09d..8186ef385029 100644 --- a/pkg/kube/inject/testdata/inject/traffic-params-empty-includes.yaml.injected +++ b/pkg/kube/inject/testdata/inject/traffic-params-empty-includes.yaml.injected @@ -126,7 +126,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -164,9 +171,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/inject/traffic-params.yaml.injected b/pkg/kube/inject/testdata/inject/traffic-params.yaml.injected index f43888d2f8c9..63a042ab4021 100644 --- a/pkg/kube/inject/testdata/inject/traffic-params.yaml.injected +++ b/pkg/kube/inject/testdata/inject/traffic-params.yaml.injected @@ -117,7 +117,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -155,9 +162,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/daemonset.yaml.injected b/pkg/kube/inject/testdata/webhook/daemonset.yaml.injected index 6ab27cda58d4..1fc94b12debc 100644 --- a/pkg/kube/inject/testdata/webhook/daemonset.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/daemonset.yaml.injected @@ -121,7 +121,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -159,9 +166,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/deploymentconfig-multi.yaml.injected b/pkg/kube/inject/testdata/webhook/deploymentconfig-multi.yaml.injected index 7aecab9c0837..7e1391f4b7a8 100644 --- a/pkg/kube/inject/testdata/webhook/deploymentconfig-multi.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/deploymentconfig-multi.yaml.injected @@ -120,7 +120,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -158,9 +165,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/deploymentconfig.yaml.injected b/pkg/kube/inject/testdata/webhook/deploymentconfig.yaml.injected index 2c23033c60ad..23066fee36b5 100644 --- a/pkg/kube/inject/testdata/webhook/deploymentconfig.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/deploymentconfig.yaml.injected @@ -120,7 +120,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -158,9 +165,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/frontend.yaml.injected b/pkg/kube/inject/testdata/webhook/frontend.yaml.injected index 25fd3cdcd69b..a22effda091d 100644 --- a/pkg/kube/inject/testdata/webhook/frontend.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/frontend.yaml.injected @@ -124,7 +124,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -162,9 +169,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/hello-config-map-name.yaml.injected b/pkg/kube/inject/testdata/webhook/hello-config-map-name.yaml.injected index b888e3a69d2d..a03ffaf0af0e 100644 --- a/pkg/kube/inject/testdata/webhook/hello-config-map-name.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/hello-config-map-name.yaml.injected @@ -122,7 +122,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -160,9 +167,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/hello-mtls-not-ready.yaml.injected b/pkg/kube/inject/testdata/webhook/hello-mtls-not-ready.yaml.injected index 9c7fe2038254..7f9c305ec87b 100644 --- a/pkg/kube/inject/testdata/webhook/hello-mtls-not-ready.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/hello-mtls-not-ready.yaml.injected @@ -122,7 +122,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -160,9 +167,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/hello-multi.yaml.injected b/pkg/kube/inject/testdata/webhook/hello-multi.yaml.injected index 893bc9e3f545..2c26bf5a09db 100644 --- a/pkg/kube/inject/testdata/webhook/hello-multi.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/hello-multi.yaml.injected @@ -124,7 +124,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -162,9 +169,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: @@ -304,7 +318,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -342,9 +363,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/hello-probes.yaml.injected b/pkg/kube/inject/testdata/webhook/hello-probes.yaml.injected index b00452dd74f7..1e6358438029 100644 --- a/pkg/kube/inject/testdata/webhook/hello-probes.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/hello-probes.yaml.injected @@ -143,7 +143,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -181,9 +188,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/job.yaml.injected b/pkg/kube/inject/testdata/webhook/job.yaml.injected index 4415229fb17f..bdd46df1021d 100644 --- a/pkg/kube/inject/testdata/webhook/job.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/job.yaml.injected @@ -119,7 +119,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -157,9 +164,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 restartPolicy: Never diff --git a/pkg/kube/inject/testdata/webhook/list-frontend.yaml.injected b/pkg/kube/inject/testdata/webhook/list-frontend.yaml.injected index 25fd3cdcd69b..a22effda091d 100644 --- a/pkg/kube/inject/testdata/webhook/list-frontend.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/list-frontend.yaml.injected @@ -124,7 +124,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -162,9 +169,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/list.yaml.injected b/pkg/kube/inject/testdata/webhook/list.yaml.injected index 893bc9e3f545..2c26bf5a09db 100644 --- a/pkg/kube/inject/testdata/webhook/list.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/list.yaml.injected @@ -124,7 +124,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -162,9 +169,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: @@ -304,7 +318,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -342,9 +363,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/multi-init.yaml.injected b/pkg/kube/inject/testdata/webhook/multi-init.yaml.injected index 62cab69c03ff..3a92ea4c1dbe 100644 --- a/pkg/kube/inject/testdata/webhook/multi-init.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/multi-init.yaml.injected @@ -102,7 +102,14 @@ spec: cpu: 10m memory: 30Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -151,11 +158,18 @@ spec: cpu: 10m memory: 10Mi securityContext: - runAsUser: 0 - runAsNonRoot: false + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 volumes: - emptyDir: medium: Memory diff --git a/pkg/kube/inject/testdata/webhook/replicaset.yaml.injected b/pkg/kube/inject/testdata/webhook/replicaset.yaml.injected index f48aff459aad..b1138fe97794 100644 --- a/pkg/kube/inject/testdata/webhook/replicaset.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/replicaset.yaml.injected @@ -118,7 +118,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -156,9 +163,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/replicationcontroller.yaml.injected b/pkg/kube/inject/testdata/webhook/replicationcontroller.yaml.injected index af10797dcaac..33681e79c18a 100644 --- a/pkg/kube/inject/testdata/webhook/replicationcontroller.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/replicationcontroller.yaml.injected @@ -120,7 +120,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -158,9 +165,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/resource_annotations.yaml.injected b/pkg/kube/inject/testdata/webhook/resource_annotations.yaml.injected index 9ce8e9bbe5e1..6965ee226910 100644 --- a/pkg/kube/inject/testdata/webhook/resource_annotations.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/resource_annotations.yaml.injected @@ -117,7 +117,14 @@ spec: cpu: 100m memory: 1Gi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -155,9 +162,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/statefulset.yaml.injected b/pkg/kube/inject/testdata/webhook/statefulset.yaml.injected index 5224ceb3af32..cb3f1033d255 100644 --- a/pkg/kube/inject/testdata/webhook/statefulset.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/statefulset.yaml.injected @@ -125,7 +125,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -163,9 +170,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/status_annotations.yaml.injected b/pkg/kube/inject/testdata/webhook/status_annotations.yaml.injected index 100864974ad3..848fba4b79de 100644 --- a/pkg/kube/inject/testdata/webhook/status_annotations.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/status_annotations.yaml.injected @@ -123,7 +123,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -161,9 +168,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/traffic-annotations-empty-includes.yaml.injected b/pkg/kube/inject/testdata/webhook/traffic-annotations-empty-includes.yaml.injected index 38126f9e7edb..8f6aa476f1ba 100644 --- a/pkg/kube/inject/testdata/webhook/traffic-annotations-empty-includes.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/traffic-annotations-empty-includes.yaml.injected @@ -121,7 +121,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -159,9 +166,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/traffic-annotations-wildcards.yaml.injected b/pkg/kube/inject/testdata/webhook/traffic-annotations-wildcards.yaml.injected index a89ba8172b2e..653e293d8289 100644 --- a/pkg/kube/inject/testdata/webhook/traffic-annotations-wildcards.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/traffic-annotations-wildcards.yaml.injected @@ -122,7 +122,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -160,9 +167,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/traffic-annotations.yaml.injected b/pkg/kube/inject/testdata/webhook/traffic-annotations.yaml.injected index 2d4ed9823678..076c7933ef0d 100644 --- a/pkg/kube/inject/testdata/webhook/traffic-annotations.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/traffic-annotations.yaml.injected @@ -123,7 +123,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -163,9 +170,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: diff --git a/pkg/kube/inject/testdata/webhook/user-volume.yaml.injected b/pkg/kube/inject/testdata/webhook/user-volume.yaml.injected index 392bffdafa2e..2bff3ba220e3 100644 --- a/pkg/kube/inject/testdata/webhook/user-volume.yaml.injected +++ b/pkg/kube/inject/testdata/webhook/user-volume.yaml.injected @@ -124,7 +124,14 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: true runAsUser: 1337 volumeMounts: - mountPath: /etc/istio/proxy @@ -167,9 +174,16 @@ spec: cpu: 10m memory: 10Mi securityContext: + allowPrivilegeEscalation: false capabilities: add: - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 runAsNonRoot: false runAsUser: 0 volumes: