Skip to content

Commit 1bd3ffe

Browse files
camilamacedo86camilamacedo86
committed
✨ applying restrictive SCC for all conatiners produced by the tool
1 parent a2b2be2 commit 1bd3ffe

File tree

37 files changed

+374
-0
lines changed

37 files changed

+374
-0
lines changed

pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,8 +53,17 @@ metadata:
5353
spec:
5454
template:
5555
spec:
56+
securityContext:
57+
runAsNonRoot: true
58+
seccompProfile:
59+
type: RuntimeDefault
5660
containers:
5761
- name: kube-rbac-proxy
62+
securityContext:
63+
allowPrivilegeEscalation: false
64+
capabilities:
65+
drop:
66+
- ALL
5867
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
5968
args:
6069
- "--secure-listen-address=0.0.0.0:8443"
@@ -74,6 +83,11 @@ spec:
7483
memory: 64Mi
7584
{{- if not .ComponentConfig }}
7685
- name: manager
86+
securityContext:
87+
allowPrivilegeEscalation: false
88+
capabilities:
89+
drop:
90+
- ALL
7791
args:
7892
- "--health-probe-bind-address=:8081"
7993
- "--metrics-bind-address=127.0.0.1:8080"

pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/kdefault/manager_config_patch.go

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,8 +48,17 @@ metadata:
4848
spec:
4949
template:
5050
spec:
51+
securityContext:
52+
runAsNonRoot: true
53+
seccompProfile:
54+
type: RuntimeDefault
5155
containers:
5256
- name: manager
57+
securityContext:
58+
allowPrivilegeEscalation: false
59+
capabilities:
60+
drop:
61+
- ALL
5362
args:
5463
- "--config=controller_manager_config.yaml"
5564
volumeMounts:
@@ -58,6 +67,11 @@ spec:
5867
subPath: controller_manager_config.yaml
5968
volumes:
6069
- name: manager-config
70+
securityContext:
71+
allowPrivilegeEscalation: false
72+
capabilities:
73+
drop:
74+
- ALL
6175
configMap:
6276
name: manager-config
6377
`

pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/kdefault/webhook_manager_patch.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,8 +57,17 @@ metadata:
5757
spec:
5858
template:
5959
spec:
60+
securityContext:
61+
runAsNonRoot: true
62+
seccompProfile:
63+
type: RuntimeDefault
6064
containers:
6165
- name: manager
66+
securityContext:
67+
allowPrivilegeEscalation: false
68+
capabilities:
69+
drop:
70+
- ALL
6271
ports:
6372
- containerPort: 9443
6473
name: webhook-server

pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/manager/config.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,8 @@ spec:
7272
spec:
7373
securityContext:
7474
runAsNonRoot: true
75+
seccompProfile:
76+
type: RuntimeDefault
7577
containers:
7678
- command:
7779
- /manager
@@ -83,6 +85,9 @@ spec:
8385
name: manager
8486
securityContext:
8587
allowPrivilegeEscalation: false
88+
capabilities:
89+
drop:
90+
- ALL
8691
livenessProbe:
8792
httpGet:
8893
path: /healthz

pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,8 +53,17 @@ metadata:
5353
spec:
5454
template:
5555
spec:
56+
securityContext:
57+
runAsNonRoot: true
58+
seccompProfile:
59+
type: RuntimeDefault
5660
containers:
5761
- name: kube-rbac-proxy
62+
securityContext:
63+
allowPrivilegeEscalation: false
64+
capabilities:
65+
drop:
66+
- ALL
5867
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
5968
args:
6069
- "--secure-listen-address=0.0.0.0:8443"

pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_config_patch.go

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,8 +48,17 @@ metadata:
4848
spec:
4949
template:
5050
spec:
51+
securityContext:
52+
runAsNonRoot: true
53+
seccompProfile:
54+
type: RuntimeDefault
5155
containers:
5256
- name: manager
57+
securityContext:
58+
allowPrivilegeEscalation: false
59+
capabilities:
60+
drop:
61+
- ALL
5362
args:
5463
- "--config=controller_manager_config.yaml"
5564
volumeMounts:
@@ -58,6 +67,11 @@ spec:
5867
subPath: controller_manager_config.yaml
5968
volumes:
6069
- name: manager-config
70+
securityContext:
71+
allowPrivilegeEscalation: false
72+
capabilities:
73+
drop:
74+
- ALL
6175
configMap:
6276
name: manager-config
6377
`

pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/webhook_manager_patch.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,8 +57,17 @@ metadata:
5757
spec:
5858
template:
5959
spec:
60+
securityContext:
61+
runAsNonRoot: true
62+
seccompProfile:
63+
type: RuntimeDefault
6064
containers:
6165
- name: manager
66+
securityContext:
67+
allowPrivilegeEscalation: false
68+
capabilities:
69+
drop:
70+
- ALL
6271
ports:
6372
- containerPort: 9443
6473
name: webhook-server

pkg/plugins/golang/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,8 +52,17 @@ metadata:
5252
spec:
5353
template:
5454
spec:
55+
securityContext:
56+
runAsNonRoot: true
57+
seccompProfile:
58+
type: RuntimeDefault
5559
containers:
5660
- name: kube-rbac-proxy
61+
securityContext:
62+
allowPrivilegeEscalation: false
63+
capabilities:
64+
drop:
65+
- ALL
5766
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
5867
args:
5968
- "--secure-listen-address=0.0.0.0:8443"

pkg/plugins/golang/v2/scaffolds/internal/templates/config/kdefault/webhook_manager_patch.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,8 +48,17 @@ metadata:
4848
spec:
4949
template:
5050
spec:
51+
securityContext:
52+
runAsNonRoot: true
53+
seccompProfile:
54+
type: RuntimeDefault
5155
containers:
5256
- name: manager
57+
securityContext:
58+
allowPrivilegeEscalation: false
59+
capabilities:
60+
drop:
61+
- ALL
5362
ports:
5463
- containerPort: 9443
5564
name: webhook-server

testdata/project-v2-addon/config/default/manager_auth_proxy_patch.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,17 @@ metadata:
88
spec:
99
template:
1010
spec:
11+
securityContext:
12+
runAsNonRoot: true
13+
seccompProfile:
14+
type: RuntimeDefault
1115
containers:
1216
- name: kube-rbac-proxy
17+
securityContext:
18+
allowPrivilegeEscalation: false
19+
capabilities:
20+
drop:
21+
- ALL
1322
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
1423
args:
1524
- "--secure-listen-address=0.0.0.0:8443"

0 commit comments

Comments
 (0)