From 702974f750df540a799a261c21f68534ba6b1955 Mon Sep 17 00:00:00 2001 From: Volodymyr Zotov Date: Tue, 28 Feb 2023 15:59:17 -0600 Subject: [PATCH] Add runAsNonRoot: true and allowPrivilegeEscalation: false to the specs Signed-off-by: Volodymyr Zotov --- config/connect/deployment.yaml | 6 ++++++ config/default/manager_auth_proxy_patch.yaml | 2 ++ config/default/manager_config_patch.yaml | 2 ++ 3 files changed, 10 insertions(+) diff --git a/config/connect/deployment.yaml b/config/connect/deployment.yaml index a68d624..3b6acf4 100644 --- a/config/connect/deployment.yaml +++ b/config/connect/deployment.yaml @@ -12,6 +12,8 @@ spec: app: onepassword-connect version: "1.0.0" spec: + securityContext: + runAsNonRoot: true volumes: - name: shared-data emptyDir: {} @@ -32,6 +34,8 @@ spec: containers: - name: connect-api image: 1password/connect-api:latest + securityContext: + allowPrivilegeEscalation: false resources: limits: memory: "128Mi" @@ -49,6 +53,8 @@ spec: name: shared-data - name: connect-sync image: 1password/connect-sync:latest + securityContext: + allowPrivilegeEscalation: false resources: limits: memory: "128Mi" diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index e212f7d..618dd52 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -8,6 +8,8 @@ metadata: spec: template: spec: + securityContext: + runAsNonRoot: true containers: - name: kube-rbac-proxy securityContext: diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml index 84f2f4a..4fd749c 100644 --- a/config/default/manager_config_patch.yaml +++ b/config/default/manager_config_patch.yaml @@ -6,6 +6,8 @@ metadata: spec: template: spec: + securityContext: + runAsNonRoot: true containers: - name: manager args: