improve pod security for snyk scan

Signed-off-by: Scott Trent <[email protected]>
sustainable-computing-io · Sep 10, 2024 · f165de1 · f165de1
1 parent 584ce38
commit f165de1
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 3 deletions.
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
@@ -12,7 +12,10 @@ spec:
       - name: kube-rbac-proxy
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           runAsNonRoot: true
+          runAsUser: 14001
+          runAsGroup: 14001
           capabilities:
             drop:
               - "ALL"

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -57,6 +57,8 @@ spec:
       #               - linux
       securityContext:
         runAsNonRoot: true
+        runAsUser: 11001
+        runAsGroup: 11001
         # TODO(user): For common cases that do not require escalating privileges
         # it is recommended to ensure that all your Pods/Containers are restrictive.
         # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
@@ -163,6 +165,8 @@ spec:
         imagePullPolicy: Always
         name: manager
         securityContext:
+          runAsUser: 12001
+          runAsGroup: 12001
           allowPrivilegeEscalation: false
           capabilities:
             drop:

diff --git a/deployment/susql-controller/templates/deployment.yaml b/deployment/susql-controller/templates/deployment.yaml
@@ -8,9 +8,6 @@ spec:
     selector:
         matchLabels:
             sustainable-computing.io/app: {{ .Values.name }}
-    securityContext:
-        runAsUser: 10001
-        runAsGroup: 10001
     template:
         metadata:
             name: {{ .Values.name }}
@@ -27,6 +24,8 @@ spec:
                   image: {{ required "Please specify a 'containerImage' in the user file" .Values.containerImage }}
                   imagePullPolicy: {{ .Values.imagePullPolicy | default "Always" }}
                   securityContext:
+                      runAsUser: 10001
+                      runAsGroup: 10001
                       allowPrivilegeEscalation: false
                       runAsNonRoot: true
                       capabilities: