Skip to content

Commit

Permalink
securityContext adjusted (#1261)
Browse files Browse the repository at this point in the history
allow installation and execution in restricted namespaces

Signed-off-by: Olli Hauer <[email protected]>
  • Loading branch information
ohauer authored Aug 7, 2023
1 parent a6bcb68 commit 458e260
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions controller-norbac.jsonnet
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,11 @@ local namespace = 'kube-system';
spec+: {
securityContext+: {
fsGroup: 65534,
runAsNonRoot: true,
runAsUser: 1001,
seccompProfile+: {
type: 'RuntimeDefault',
}
},
containers_+: {
controller: kube.Container('sealed-secrets-controller') {
Expand All @@ -54,9 +59,11 @@ local namespace = 'kube-system';
http: { containerPort: 8080 },
},
securityContext+: {
allowPrivilegeEscalation: false,
capabilities+: {
drop: [ 'ALL' ],
},
readOnlyRootFilesystem: true,
runAsNonRoot: true,
runAsUser: 1001,
},
volumeMounts_+: {
tmp: {
Expand Down

0 comments on commit 458e260

Please sign in to comment.