security: Drop capabilities and enable seccomp

Further restricts the SecurityContext that the controller runs under, by enabling the default seccomp profile, dropping all linux capabilities and enforcing a specific user/group ID. This was set at container-level to ensure backwards compatibility with use cases in which sidecars are injected into the source-controller pod without setting less restrictive settings. Co-authored-by: Sanskar Jaiswal <[email protected]> Signed-off-by: Paulo Gomes <[email protected]>
fluxcd · Jan 5, 2022 · 7c971cd · 7c971cd
1 parent 46642a7
commit 7c971cd
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -40,8 +40,6 @@ RUN apk add --no-cache ca-certificates tini
 
 COPY --from=builder /workspace/helm-controller /usr/local/bin/
 
-RUN addgroup -S controller && adduser -S controller -G controller
-
-USER controller
+USER 65534:65534
 
 ENTRYPOINT [ "/sbin/tini", "--", "helm-controller" ]
diff --git a/config/manager/deployment.yaml b/config/manager/deployment.yaml
@@ -25,6 +25,11 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop: ["ALL"]
+          seccompProfile:
+            type: RuntimeDefault
         ports:
           - containerPort: 8080
             name: http-prom