From e0577c895cc9e202a3857712af0201cb2a25cdfe Mon Sep 17 00:00:00 2001 From: Ansible-man <93239366+Ansible-man@users.noreply.github.com> Date: Fri, 1 Nov 2024 12:30:09 -0500 Subject: [PATCH] feat: make zarf-agent pods comply with offical restricted pod security standard (#3036) Signed-off-by: Cade Thomas Signed-off-by: schristoff <28318173+schristoff@users.noreply.github.com> Signed-off-by: dependabot[bot] Co-authored-by: Cade Thomas Co-authored-by: schristoff <28318173+schristoff@users.noreply.github.com> Co-authored-by: Austin Abro <37223396+AustinAbro321@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- packages/zarf-agent/manifests/deployment.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/packages/zarf-agent/manifests/deployment.yaml b/packages/zarf-agent/manifests/deployment.yaml index a8e481845f..61731ada18 100644 --- a/packages/zarf-agent/manifests/deployment.yaml +++ b/packages/zarf-agent/manifests/deployment.yaml @@ -21,6 +21,13 @@ spec: - name: private-registry priorityClassName: system-node-critical serviceAccountName: zarf + # Security context to comply with restricted PSS + securityContext: + runAsUser: 1000 + fsGroup: 2000 + runAsGroup: 2000 + seccompProfile: + type: "RuntimeDefault" containers: - name: server image: "###ZARF_REGISTRY###/###ZARF_CONST_AGENT_IMAGE###:###ZARF_CONST_AGENT_IMAGE_TAG###" @@ -32,6 +39,12 @@ spec: scheme: HTTPS ports: - containerPort: 8443 + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: ["ALL"] resources: requests: memory: "32Mi"