From 458e2600be8ab44e6cf6ec385b396c2fc093cb60 Mon Sep 17 00:00:00 2001
From: ohauer <ohauer@gmx.de>
Date: Mon, 7 Aug 2023 09:43:16 +0200
Subject: [PATCH] securityContext adjusted (#1261)

allow installation and execution in restricted namespaces

Signed-off-by: Olli Hauer <ohauer@gmx.de>
---
 controller-norbac.jsonnet | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/controller-norbac.jsonnet b/controller-norbac.jsonnet
index 1b9ff971b0..5d588af1d6 100644
--- a/controller-norbac.jsonnet
+++ b/controller-norbac.jsonnet
@@ -40,6 +40,11 @@ local namespace = 'kube-system';
         spec+: {
           securityContext+: {
             fsGroup: 65534,
+            runAsNonRoot: true,
+            runAsUser: 1001,
+            seccompProfile+: {
+              type: 'RuntimeDefault',
+            }
           },
           containers_+: {
             controller: kube.Container('sealed-secrets-controller') {
@@ -54,9 +59,11 @@ local namespace = 'kube-system';
                 http: { containerPort: 8080 },
               },
               securityContext+: {
+                allowPrivilegeEscalation: false,
+                capabilities+: {
+                  drop: [ 'ALL' ],
+                },
                 readOnlyRootFilesystem: true,
-                runAsNonRoot: true,
-                runAsUser: 1001,
               },
               volumeMounts_+: {
                 tmp: {