update deployment securityContext (#171)

Signed-off-by: Zhiwei Yin <[email protected]>
open-cluster-management-io · Dec 8, 2023 · 00d2026 · 00d2026
1 parent 8474972
commit 00d2026
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 0 deletions.
diff --git a/charts/cluster-proxy/templates/manager-deployment.yaml b/charts/cluster-proxy/templates/manager-deployment.yaml
@@ -24,3 +24,11 @@ spec:
             - --leader-elect=true
             - --signer-secret-namespace={{ .Release.Namespace }}
             - --agent-install-all=true
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            privileged: false
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
diff --git a/pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-deployment.yaml b/pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-deployment.yaml
@@ -51,6 +51,14 @@ spec:
             {{- range .Values.additionalProxyAgentArgs }}
             - {{ . }}
             {{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            privileged: false
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
           volumeMounts:
             - name: ca
               mountPath: /etc/ca
@@ -75,6 +83,14 @@ spec:
             {{- range .Values.addonAgentArgs }}
             - {{ . }}
             {{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
           volumeMounts:
             - name: hub-kubeconfig
               mountPath: /etc/kubeconfig/

diff --git a/pkg/proxyserver/controllers/manifests.go b/pkg/proxyserver/controllers/manifests.go
@@ -126,6 +126,15 @@ func newProxyServerDeployment(config *proxyv1alpha1.ManagedProxyConfiguration) *
 								"--cluster-cert=/etc/agent-pki/tls.crt",
 								"--cluster-key=/etc/agent-pki/tls.key",
 							}, config.Spec.ProxyServer.AdditionalArgs...),
+							SecurityContext: &corev1.SecurityContext{
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"ALL"},
+								},
+								Privileged:               pointer.Bool(false),
+								RunAsNonRoot:             pointer.Bool(true),
+								ReadOnlyRootFilesystem:   pointer.Bool(true),
+								AllowPrivilegeEscalation: pointer.Bool(false),
+							},
 							VolumeMounts: []corev1.VolumeMount{
 								{
 									Name:      "proxy-server-ca-certs",