Harden preinstall job

giantswarm · Oct 10, 2023 · 113c5fe · 113c5fe
1 parent 39a717b
commit 113c5fe
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/helm/kyverno-policy-operator/templates/crd-install/crd-job.yaml b/helm/kyverno-policy-operator/templates/crd-install/crd-job.yaml
@@ -23,7 +23,6 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
-        readOnlyRootFilesystem: true
         runAsNonRoot: true
         runAsUser: 65534
         runAsGroup: 65534
@@ -46,9 +45,14 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+          privileged: false
           runAsNonRoot: true
           runAsUser: 65534
           runAsGroup: 65534
+          capabilities:
+            drop:
+            - ALL
         volumeMounts:
 {{- range $path, $_ := .Files.Glob "crd/**" }}
         - name: {{ $path | base | trimSuffix ".yaml" }}