From 08d469b0043b0a70fae74f219a9f21690c9bc88a Mon Sep 17 00:00:00 2001 From: Gerald Pape Date: Wed, 12 Feb 2025 11:36:32 +0100 Subject: [PATCH 1/2] Add securityContext to climatems --- apps/climatems/climatems.yaml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/apps/climatems/climatems.yaml b/apps/climatems/climatems.yaml index 98c3e28f..0a984d98 100644 --- a/apps/climatems/climatems.yaml +++ b/apps/climatems/climatems.yaml @@ -63,8 +63,6 @@ metadata: app.kubernetes.io/name: climatems app.kubernetes.io/component: webserver app.kubernetes.io/part-of: climatems - annotations: - kube-linter.io/ignore-all: "true" spec: replicas: 1 selector: @@ -81,6 +79,8 @@ spec: spec: automountServiceAccountToken: false serviceAccountName: climatems-climatems + securityContext: + fsGroup: 1000 containers: - name: climatems image: ghcr.io/codeformuenster/climatems:v0.1.0 @@ -89,4 +89,15 @@ spec: resources: requests: memory: "100Mi" - cpu: "200m" \ No newline at end of file + cpu: "200m" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault From 7ea19b000393e08f2aafd9bcff988a0e5d1c8f4b Mon Sep 17 00:00:00 2001 From: Gerald Pape Date: Wed, 12 Feb 2025 11:37:55 +0100 Subject: [PATCH 2/2] Add pss ns annotation for climatems --- apps/climatems/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/climatems/kustomization.yaml b/apps/climatems/kustomization.yaml index 8235daa4..2816e416 100644 --- a/apps/climatems/kustomization.yaml +++ b/apps/climatems/kustomization.yaml @@ -4,5 +4,5 @@ kind: Kustomization namespace: c4m-climatems resources: -- ../../base/namespace +- ../../base/namespace-pss-restricted - climatems.yaml