From 7c971cdcede8a4390d4a622b69d42ca6ba9d03ce Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Wed, 5 Jan 2022 09:29:35 +0000 Subject: [PATCH] security: Drop capabilities and enable seccomp Further restricts the SecurityContext that the controller runs under, by enabling the default seccomp profile, dropping all linux capabilities and enforcing a specific user/group ID. This was set at container-level to ensure backwards compatibility with use cases in which sidecars are injected into the source-controller pod without setting less restrictive settings. Co-authored-by: Sanskar Jaiswal Signed-off-by: Paulo Gomes --- Dockerfile | 4 +--- config/manager/deployment.yaml | 5 +++++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 56fc361ee..2caececca 100644 --- a/Dockerfile +++ b/Dockerfile @@ -40,8 +40,6 @@ RUN apk add --no-cache ca-certificates tini COPY --from=builder /workspace/helm-controller /usr/local/bin/ -RUN addgroup -S controller && adduser -S controller -G controller - -USER controller +USER 65534:65534 ENTRYPOINT [ "/sbin/tini", "--", "helm-controller" ] diff --git a/config/manager/deployment.yaml b/config/manager/deployment.yaml index 0619b9000..663088dde 100644 --- a/config/manager/deployment.yaml +++ b/config/manager/deployment.yaml @@ -25,6 +25,11 @@ spec: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault ports: - containerPort: 8080 name: http-prom