Skip to content

Commit

Permalink
fix: configure security context in containers to mitigate weaknesses
Browse files Browse the repository at this point in the history
Signed-off-by: Siddhesh Mhadnak <[email protected]>
  • Loading branch information
sid-maddy committed Oct 29, 2023
1 parent a9399e1 commit b5d2e2a
Show file tree
Hide file tree
Showing 5 changed files with 47 additions and 20 deletions.
9 changes: 9 additions & 0 deletions kubernetes/manifests/discord/bot/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,12 @@ spec:
envFrom:
- secretRef:
name: bot-env
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
readOnlyRootFilesystem: true
9 changes: 9 additions & 0 deletions kubernetes/manifests/dragonfly/client/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,12 @@ spec:
envFrom:
- secretRef:
name: dragonfly-client-env
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
readOnlyRootFilesystem: true
20 changes: 20 additions & 0 deletions kubernetes/manifests/dragonfly/loader/cronjob.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: batch/v1
kind: CronJob
metadata:
namespace: dragonfly
name: dragonfly-loader
spec:
schedule: '* * * * *'
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
spec:
containers:
- name: dragonfly-loader
image: ghcr.io/vipyrsec/dragonfly-loader:v1.0.1
imagePullPolicy: Always
envFrom:
- secretRef:
name: dragonfly-loader-env
restartPolicy: Never
20 changes: 0 additions & 20 deletions kubernetes/manifests/dragonfly/loader/deployment.yaml

This file was deleted.

9 changes: 9 additions & 0 deletions kubernetes/manifests/dragonfly/mainframe/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,12 @@ spec:
envFrom:
- secretRef:
name: dragonfly-mainframe-env
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
readOnlyRootFilesystem: true

0 comments on commit b5d2e2a

Please sign in to comment.