Add security context to zarf-agent in order to comply with offical re…

…stricted PSS Signed-off-by: Cade Thomas <[email protected]>
zarf-dev · Oct 19, 2024 · 09bfd04 · 09bfd04
1 parent 78dba11
commit 09bfd04
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/packages/zarf-agent/manifests/deployment.yaml b/packages/zarf-agent/manifests/deployment.yaml
@@ -21,6 +21,12 @@ spec:
         - name: private-registry
       priorityClassName: system-node-critical
       serviceAccountName: zarf
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 2000
+        fsGroup: 2000
+        seccompProfile:
+          type: "RuntimeDefault"
       containers:
         - name: server
           image: "###ZARF_REGISTRY###/###ZARF_CONST_AGENT_IMAGE###:###ZARF_CONST_AGENT_IMAGE_TAG###"
@@ -32,6 +38,12 @@ spec:
               scheme: HTTPS
           ports:
             - containerPort: 8443
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop: ["ALL"]
           resources:
             requests:
               memory: "32Mi"