feat: added securityContext for production flag

Additionally add pod.containers[].securityContext.allowPrivilegeEscalation = false
garden-io · Dec 5, 2019 · a88edfa · a88edfa
1 parent b5c6e41
commit a88edfa
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/docs/guides/remote-kubernetes.md b/docs/guides/remote-kubernetes.md
@@ -180,7 +180,8 @@ The flag is also given to each provider, which may modify behavior accordingly.
 
 1. Set the default number of replicas for `container` services to 3 (unless specified by the user).
 2. Set a soft AntiAffinity setting on `container` deployments to try to schedule Pods in a single Deployment across many nodes.
-3. Increase the `RevisionHistoryLimit` on workloads to 10.
-4. By default, running `garden deploy --force` will propagate the `--force` flag to `helm upgrade`, and set the `--replace` flag on `helm install` when deploying `helm` modules. This may be okay while developing but risky in production, so the `production` flag prevents both of those.
+3. Set a restricted `securityContext` for Pods (runAsUser: 1000, runAsGroup: 3000, fsGroup: 2000).
+4. Increase the `RevisionHistoryLimit` on workloads to 10.
+5. By default, running `garden deploy --force` will propagate the `--force` flag to `helm upgrade`, and set the `--replace` flag on `helm install` when deploying `helm` modules. This may be okay while developing but risky in production, so the `production` flag prevents both of those.
 
 We would highly appreciate feedback on other configuration settings that should be altered when `production: true`. Please send us feedback via [GitHub issues](https://github.com/garden-io/garden/issues) or reach out on our Slack channel!
diff --git a/garden-service/src/plugins/kubernetes/container/deployment.ts b/garden-service/src/plugins/kubernetes/container/deployment.ts
@@ -296,6 +296,9 @@ export async function createWorkloadResource({
       },
     },
     imagePullPolicy: "IfNotPresent",
+    securityContext: {
+      allowPrivilegeEscalation: false,
+    },
   }
 
   if (service.spec.command && service.spec.command.length > 0) {
@@ -395,7 +398,14 @@ export async function createWorkloadResource({
       },
     }
 
+    const securityContext = {
+      runAsUser: 1000,
+      runAsGroup: 3000,
+      fsGroup: 2000,
+    }
+
     deployment.spec.template.spec.affinity = affinity
+    deployment.spec.template.spec.securityContext = securityContext
   }
 
   if (enableHotReload) {