Skip to content
This repository was archived by the owner on Aug 12, 2025. It is now read-only.

Commit 0777e5e

Browse files
committed
feat: add security context for controller
Signed-off-by: Chris Privitere <[email protected]>
1 parent 437f509 commit 0777e5e

File tree

1 file changed

+42
-30
lines changed

1 file changed

+42
-30
lines changed

config/manager/manager.yaml

Lines changed: 42 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -16,36 +16,48 @@ spec:
1616
control-plane: controller-manager
1717
spec:
1818
containers:
19-
- command:
20-
- /manager
21-
args:
22-
- --leader-elect
23-
image: packet-controller
24-
imagePullPolicy: IfNotPresent
25-
name: manager
26-
ports:
27-
- containerPort: 9440
28-
name: healthz
29-
protocol: TCP
30-
readinessProbe:
31-
httpGet:
32-
path: /readyz
33-
port: healthz
34-
livenessProbe:
35-
httpGet:
36-
path: /healthz
37-
port: healthz
38-
resources:
39-
limits:
40-
cpu: 100m
41-
memory: 50Mi
42-
requests:
43-
cpu: 100m
44-
memory: 35Mi
19+
- command:
20+
- /manager
21+
args:
22+
- --leader-elect
23+
image: packet-controller
24+
imagePullPolicy: IfNotPresent
25+
name: manager
26+
ports:
27+
- containerPort: 9440
28+
name: healthz
29+
protocol: TCP
30+
readinessProbe:
31+
httpGet:
32+
path: /readyz
33+
port: healthz
34+
livenessProbe:
35+
httpGet:
36+
path: /healthz
37+
port: healthz
38+
resources:
39+
limits:
40+
cpu: 100m
41+
memory: 50Mi
42+
requests:
43+
cpu: 100m
44+
memory: 35Mi
45+
securityContext:
46+
allowPrivilegeEscalation: false
47+
capabilities:
48+
drop:
49+
- ALL
50+
privileged: false
51+
runAsUser: 65532
52+
runAsGroup: 65532
4553
terminationGracePeriodSeconds: 10
4654
tolerations:
47-
- effect: NoSchedule
48-
key: node-role.kubernetes.io/master
49-
- effect: NoSchedule
50-
key: node-role.kubernetes.io/control-plane
55+
- effect: NoSchedule
56+
key: node-role.kubernetes.io/master
57+
- effect: NoSchedule
58+
key: node-role.kubernetes.io/control-plane
5159
serviceAccountName: controller-manager
60+
securityContext:
61+
runAsNonRoot: true
62+
seccompProfile:
63+
type: RuntimeDefault

0 commit comments

Comments
 (0)