Merge pull request #1995 from alphagov/add-restricted-capbilities-cro…

…n-jobs Add securityContext from cron-jobs containers
alphagov · May 1, 2024 · 29e8b4f · 29e8b4f
2 parents 4bfd76b + 7840bcc
commit 29e8b4f
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/charts/generic-govuk-app/templates/cron-task.yaml b/charts/generic-govuk-app/templates/cron-task.yaml
@@ -35,6 +35,8 @@ spec:
           automountServiceAccountToken: {{- if .serviceAccount }} true {{- else }} false {{- end }}
           enableServiceLinks: false
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             fsGroup: {{ $.Values.securityContext.runAsGroup }}
             runAsNonRoot: {{ $.Values.securityContext.runAsNonRoot }}
             runAsUser: {{ $.Values.securityContext.runAsUser }}
@@ -91,6 +93,8 @@ spec:
               securityContext:
                 allowPrivilegeEscalation: false
                 readOnlyRootFilesystem: true
+                capabilities:
+                  drop: ["ALL"]
               volumeMounts:
                 - name: app-tmp
                   mountPath: /tmp