Skip to content

Commit

Permalink
feat: make zarf-agent pods comply with offical restricted pod securit…
Browse files Browse the repository at this point in the history
…y standard (#3036)

Signed-off-by: Cade Thomas <[email protected]>
Signed-off-by: schristoff <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Cade Thomas <[email protected]>
Co-authored-by: schristoff <[email protected]>
Co-authored-by: Austin Abro <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • Loading branch information
5 people authored Nov 1, 2024
1 parent 38f5f99 commit 785feeb
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions packages/zarf-agent/manifests/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ spec:
- name: private-registry
priorityClassName: system-node-critical
serviceAccountName: zarf
# Security context to comply with restricted PSS
securityContext:
runAsUser: 1000
fsGroup: 2000
runAsGroup: 2000
seccompProfile:
type: "RuntimeDefault"
containers:
- name: server
image: "###ZARF_REGISTRY###/###ZARF_CONST_AGENT_IMAGE###:###ZARF_CONST_AGENT_IMAGE_TAG###"
Expand All @@ -32,6 +39,12 @@ spec:
scheme: HTTPS
ports:
- containerPort: 8443
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop: ["ALL"]
resources:
requests:
memory: "32Mi"
Expand Down

0 comments on commit 785feeb

Please sign in to comment.