Merge f8356c9dee into 909e9eabe4

2023-06-19 11:53:20 -04:00 · 2023-06-19 11:53:20 -04:00 · e819c592a1
parent 909e9eabe4 f8356c9dee
commit e819c592a1
2 changed files with 57 additions and 28 deletions
--- a/cmd/k8s-operator/manifests/operator.yaml
+++ b/cmd/k8s-operator/manifests/operator.yaml
@ -119,6 +119,8 @@ spec:
    spec:
      serviceAccountName: operator
      volumes:
+        - name: config
+          emptyDir: {}
        - name: oauth
          secret:
            secretName: operator-oauth
@ -151,6 +153,20 @@ spec:
            - name: AUTH_PROXY
              value: "false"
          volumeMounts:
+            - name: config
+              mountPath: /.config
            - name: oauth
              mountPath: /oauth
              readOnly: true
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            allowPrivilegeEscalation: false
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        runAsNonRoot: true
+        fsGroup: 2000
+        seccompProfile:
+          type: RuntimeDefault
--- a/cmd/k8s-operator/manifests/proxy.yaml
+++ b/cmd/k8s-operator/manifests/proxy.yaml
@ -14,7 +14,10 @@ spec:
        - name: sysctler
          image: busybox
          securityContext:
-            privileged: true
+            capabilities:
+              drop:
+                - ALL
+            allowPrivilegeEscalation: false
          command: ["/bin/sh"]
          args:
            - -c
@ -35,3 +38,13 @@ spec:
            capabilities:
              add:
                - NET_ADMIN
+              drop:
+                - ALL
+            allowPrivilegeEscalation: false
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        runAsNonRoot: true
+        fsGroup: 2000
+        seccompProfile:
+          type: RuntimeDefault