security: Drop capabilities and enable seccomp

Further restricts the SecurityContext that the controller runs under, by enabling the default seccomp profile and dropping all linux capabilities. This was set at container-level to ensure backwards compatibility with use cases in which sidecars are injected into the source-controller pod without setting less restrictive settings. BREAKING CHANGE: The use of new seccomp API requires Kubernetes 1.19. Co-authored-by: Sanskar Jaiswal <sanskar.jaiswal@weave.works> Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
2022-01-18 18:01:37 +00:00 · 2022-01-18 18:01:37 +00:00 · 3134d10d32
parent 89ba4f5e8f
commit 3134d10d32
2 changed files with 5 additions and 1 deletions
--- a/2
+++ b/2
@ -41,7 +41,7 @@ RUN apk add --no-cache ca-certificates tini

 COPY --from=builder /workspace/helm-controller /usr/local/bin/

-RUN addgroup -S controller && adduser -S controller -G controller
+RUN addgroup -S controller -g 65532 && adduser -D -u 65532 -s /sbin/nologin -S controller -G controller

 USER controller

--- a/config/manager/deployment.yaml
+++ b/config/manager/deployment.yaml
@ -25,6 +25,10 @@ spec:
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
+          capabilities:
+            drop: ["ALL"]
+          seccompProfile:
+            type: RuntimeDefault
        ports:
          - containerPort: 8080
            name: http-prom