update deployment securityContext

Signed-off-by: Zhiwei Yin <[email protected]>
open-cluster-management-io · Dec 6, 2023 · 3a4b944 · 3a4b944
1 parent 8474972
commit 3a4b944
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 0 deletions.
diff --git a/charts/cluster-proxy/templates/manager-deployment.yaml b/charts/cluster-proxy/templates/manager-deployment.yaml
@@ -24,3 +24,11 @@ spec:
             - --leader-elect=true
             - --signer-secret-namespace={{ .Release.Namespace }}
             - --agent-install-all=true
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
diff --git a/pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-deployment.yaml b/pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-deployment.yaml
@@ -51,6 +51,14 @@ spec:
             {{- range .Values.additionalProxyAgentArgs }}
             - {{ . }}
             {{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
           volumeMounts:
             - name: ca
               mountPath: /etc/ca
@@ -75,6 +83,14 @@ spec:
             {{- range .Values.addonAgentArgs }}
             - {{ . }}
             {{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
           volumeMounts:
             - name: hub-kubeconfig
               mountPath: /etc/kubeconfig/

diff --git a/pkg/proxyserver/controllers/manifests.go b/pkg/proxyserver/controllers/manifests.go
@@ -126,6 +126,15 @@ func newProxyServerDeployment(config *proxyv1alpha1.ManagedProxyConfiguration) *
 								"--cluster-cert=/etc/agent-pki/tls.crt",
 								"--cluster-key=/etc/agent-pki/tls.key",
 							}, config.Spec.ProxyServer.AdditionalArgs...),
+							SecurityContext: &corev1.SecurityContext{
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"ALL"},
+								},
+								Privileged:               falsePtr(),
+								RunAsNonRoot:             truePtr(),
+								ReadOnlyRootFilesystem:   truePtr(),
+								AllowPrivilegeEscalation: falsePtr(),
+							},
 							VolumeMounts: []corev1.VolumeMount{
 								{
 									Name:      "proxy-server-ca-certs",
@@ -220,3 +229,13 @@ func newProxyServerRoleBinding(config *proxyv1alpha1.ManagedProxyConfiguration)
 	}
 
 }
+
+func truePtr() *bool {
+	t := true
+	return &t
+}
+
+func falsePtr() *bool {
+	t := false
+	return &t
+}