Merge pull request #491 from mhmdmhfd/feat/cis-for-initcontainers

Falltrades · web-flow · commit c0326adfd507 · 2025-03-31T17:49:24.000+02:00
feat: adding cis policy for kc initContainers and excluding kc pg_clu…
diff --git a/roles/keycloak/templates/values/00-main.j2 b/roles/keycloak/templates/values/00-main.j2
@@ -314,11 +314,24 @@ initContainers:
     image: docker.io/curlimages/curl:8.11.1
 {% endif %}
     imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsGroup: 1001
+      runAsNonRoot: true
+      runAsUser: 1001
+      seLinuxOptions: {}
+      seccompProfile:
+        type: RuntimeDefault
     command:
       - sh
     args:
       - -c
-      - curl -k -L -f -S -o /emptydir/app-providers-dir/keycloak-theme-dsfr.jar {{ dsc.keycloak.pluginDownloadUrl }}
+      - mkdir -p /empty-dir/app-providers-dir && curl -k -L -f -S -o /emptydir/app-providers-dir/keycloak-theme-dsfr.jar {{ dsc.keycloak.pluginDownloadUrl }}
     volumeMounts:
       - name: empty-dir
         mountPath: /emptydir
diff --git a/roles/kyverno/templates/cis.yml.j2 b/roles/kyverno/templates/cis.yml.j2
@@ -515,6 +515,16 @@ spec:
         - Pod
         namespaces:
         - "{{ dsc.awx.namespace }}"
+    exclude:
+      all:
+      - resources:
+          kinds:
+          - Job
+          - Pod
+          namespaces:
+          - "dso-*"
+          names:
+          - "pg-cluster-*"
     mutate:
       patchStrategicMerge:
         spec:
