fix trivy findings

soerenschneider · soerenschneider · commit b2ebc22221b8 · 2024-10-27T13:34:23.000Z
diff --git a/.trivyignore.yaml b/.trivyignore.yaml
@@ -27,8 +27,12 @@ misconfigurations:
   - id: "AVD-KSV-0048"
     paths:
       - "infra/reloader/components/rbac/clusterrole.yaml"
+  - id: "AVD-KSV-0049"
+    paths:
+      - "infra/external-secrets/components/resources/rbac-clusterroles.yaml"
   - id: "AVD-KSV-0041"
     paths:
+      - "infra/external-secrets/components/resources/rbac-bindings.yaml"
       - "infra/reloader/components/rbac/clusterrole.yaml"
       - "apps/monitoring/kube-state-metrics/components/rbac/cluster-role.yaml"
   - id: "AVD-KSV-0109"
@@ -37,6 +41,9 @@ misconfigurations:
   - id: "AVD-KSV-0113"
     paths:
       - "apps/monitoring/prometheus-vault-token-syncer/rbac.yaml"
+  - id: "AVD-KSV-0114"
+    paths:
+      - "infra/external-secrets/components/resources/rbac-bindings.yaml"
   - id: "AVD-KSV-01010"
     paths:
       - "**/taskwarrior-configmap.yaml" # false positive
diff --git a/infra/external-secrets/components/resources/deployment-controller.yaml b/infra/external-secrets/components/resources/deployment-controller.yaml
@@ -41,6 +41,7 @@ spec:
             readOnlyRootFilesystem: true
             runAsNonRoot: true
             runAsUser: 12364
+            runAsGroup: 12364
             seccompProfile:
               type: RuntimeDefault
           image: ghcr.io/external-secrets/external-secrets:v0.10.5
@@ -64,3 +65,9 @@ spec:
               path: /readyz
             initialDelaySeconds: 20
             periodSeconds: 5
+          resources:
+            requests:
+              memory: 128Mi
+              cpu: 50Mi
+            limits:
+              memory: 1Gi
diff --git a/infra/external-secrets/components/resources/deployment-webhook.yaml b/infra/external-secrets/components/resources/deployment-webhook.yaml
@@ -41,6 +41,7 @@ spec:
             readOnlyRootFilesystem: true
             runAsNonRoot: true
             runAsUser: 12364
+            runAsGroup: 12364
             seccompProfile:
               type: RuntimeDefault
           image: ghcr.io/external-secrets/external-secrets:v0.10.5
@@ -70,6 +71,12 @@ spec:
             - name: certs
               mountPath: /tmp/certs
               readOnly: true
+          resources:
+            requests:
+              memory: 64Mi
+              cpu: 50Mi
+            limits:
+              memory: 256Mi
       volumes:
         - name: certs
           secret:
diff --git a/infra/external-secrets/components/resources/deployment.yaml b/infra/external-secrets/components/resources/deployment.yaml
@@ -44,6 +44,7 @@ spec:
             readOnlyRootFilesystem: true
             runAsNonRoot: true
             runAsUser: 12364
+            runAsGroup: 12364
             seccompProfile:
               type: RuntimeDefault
           image: ghcr.io/external-secrets/external-secrets:v0.10.5
@@ -55,4 +56,10 @@ spec:
             - containerPort: 8080
               protocol: TCP
               name: metrics
+          resources:
+            requests:
+              memory: 128Mi
+              cpu: 50Mi
+            limits:
+              memory: 1Gi
       dnsPolicy: ClusterFirst
