Merge pull request #169 from jokuniew/securitycontext

richardcase · web-flow · commit ed52584144ee · 2025-06-24T19:36:23.000+01:00
feat: enable containers securitycontext
diff --git a/bootstrap/config/default/kustomization.yaml b/bootstrap/config/default/kustomization.yaml
@@ -39,6 +39,10 @@ patchesStrategicMerge:
 # 'CERTMANAGER' needs to be enabled to use ca injection
 - webhookcainjection_patch.yaml
 
+# Adds or overrides securityContext settings for containers to enforce security best practices,
+# such as running as non-root, dropping capabilities, or setting read-only root filesystems.
+- patch-securitycontext.yaml
+
 # the following config is for teaching kustomize how to do var substitution
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
 configurations:
diff --git a/bootstrap/config/default/patch-securitycontext.yaml b/bootstrap/config/default/patch-securitycontext.yaml
@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+        - name: manager
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            seccompProfile:
+              type: RuntimeDefault
+        - name: kube-rbac-proxy
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            seccompProfile:
+              type: RuntimeDefault
diff --git a/controlplane/config/default/kustomization.yaml b/controlplane/config/default/kustomization.yaml
@@ -39,6 +39,10 @@ patchesStrategicMerge:
 # 'CERTMANAGER' needs to be enabled to use ca injection
 - webhookcainjection_patch.yaml
 
+# Adds or overrides securityContext settings for containers to enforce security best practices,
+# such as running as non-root, dropping capabilities, or setting read-only root filesystems.
+- patch-securitycontext.yaml
+
 # the following config is for teaching kustomize how to do var substitution
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
 configurations:
diff --git a/controlplane/config/default/patch-securitycontext.yaml b/controlplane/config/default/patch-securitycontext.yaml
@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+        - name: manager
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            seccompProfile:
+              type: RuntimeDefault
+        - name: kube-rbac-proxy
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            seccompProfile:
+              type: RuntimeDefault
