Merge pull request #151 from 1Password/fix/security_vulnerabilities

Add runAsNonRoot: true and allowPrivilegeEscalation: false to the specs
2025-10-22 07:28:06 +00:00 · 2023-03-01 08:20:27 -06:00
parent ea8773bfee 702974f750
commit fe930fef05
3 changed files with 10 additions and 0 deletions
--- a/config/connect/deployment.yaml
+++ b/config/connect/deployment.yaml
@@ -12,6 +12,8 @@ spec:
        app: onepassword-connect
        version: "1.0.0"
    spec:
+      securityContext:
+        runAsNonRoot: true
      volumes:
        - name: shared-data
          emptyDir: {}
@@ -32,6 +34,8 @@ spec:
      containers:
        - name: connect-api
          image: 1password/connect-api:latest
+          securityContext:
+            allowPrivilegeEscalation: false
          resources:
            limits:
              memory: "128Mi"
@@ -49,6 +53,8 @@ spec:
              name: shared-data
        - name: connect-sync
          image: 1password/connect-sync:latest
+          securityContext:
+            allowPrivilegeEscalation: false
          resources:
            limits:
              memory: "128Mi"
--- a/config/default/manager_auth_proxy_patch.yaml
+++ b/config/default/manager_auth_proxy_patch.yaml
@@ -8,6 +8,8 @@ metadata:
 spec:
  template:
    spec:
+      securityContext:
+        runAsNonRoot: true
      containers:
      - name: kube-rbac-proxy
        securityContext:
--- a/config/default/manager_config_patch.yaml
+++ b/config/default/manager_config_patch.yaml
@@ -6,6 +6,8 @@ metadata:
 spec:
  template:
    spec:
+      securityContext:
+        runAsNonRoot: true
      containers:
      - name: manager
        args: