From 991e93abe8079ff846b05a2863e9a9c1cfaae43a Mon Sep 17 00:00:00 2001 From: Jonathan Yu Date: Wed, 16 Aug 2023 14:22:47 -0700 Subject: [PATCH 1/2] Add security context for SpiceDB Operator Closes: #237 Signed-off-by: Jonathan Yu --- config/operator.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/config/operator.yaml b/config/operator.yaml index f9bdf0ec..502153a1 100644 --- a/config/operator.yaml +++ b/config/operator.yaml @@ -59,8 +59,33 @@ spec: periodSeconds: 1 successThreshold: 1 timeoutSeconds: 15 + securityContext: + runAsUser: 65532 + runAsGroup: 65532 + runAsNonRoot: true + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /tmp + name: scratch + subPath: tmp + securityContext: + runAsUser: 65532 + runAsGroup: 65532 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: spicedb-operator + volumes: + - name: scratch + emptyDir: + sizeLimit: 512Mi --- apiVersion: v1 kind: ServiceAccount From 2d114c651e9725a99e6c77370bf1a8463b1e9e6a Mon Sep 17 00:00:00 2001 From: Jonathan Yu Date: Fri, 18 Aug 2023 14:12:26 -0700 Subject: [PATCH 2/2] remove tmp dir --- config/operator.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/config/operator.yaml b/config/operator.yaml index 502153a1..65ea4c44 100644 --- a/config/operator.yaml +++ b/config/operator.yaml @@ -71,10 +71,6 @@ spec: drop: - ALL terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /tmp - name: scratch - subPath: tmp securityContext: runAsUser: 65532 runAsGroup: 65532 @@ -82,10 +78,6 @@ spec: seccompProfile: type: RuntimeDefault serviceAccountName: spicedb-operator - volumes: - - name: scratch - emptyDir: - sizeLimit: 512Mi --- apiVersion: v1 kind: ServiceAccount