added runAsNonRoot, dropped caps and disallow priv escalation

2026-01-13 16:20:23 +11:00
parent 9e2829f9bf
commit 3458bf91a3
1 changed files with 33 additions and 17 deletions
--- a/values.yaml
+++ b/values.yaml
@@ -252,20 +252,28 @@ injector:
    certName: tls.crt
    keyName: tls.key

-  # Security context for the pod template and the injector container
-  # The default pod securityContext is:
-  #   runAsNonRoot: true
-  #   runAsGroup: {{ .Values.injector.gid | default 1000 }}
-  #   runAsUser: {{ .Values.injector.uid | default 100 }}
-  #   fsGroup: {{ .Values.injector.gid | default 1000 }}
-  # and for container is
-  #    allowPrivilegeEscalation: false
-  #    capabilities:
-  #      drop:
-  #        - ALL
-  securityContext:
-    pod: {}
-    container: {}
+    # Security context for the pod template and the injector container
+    # The default pod securityContext is:
+    #   runAsNonRoot: true
+    #   runAsGroup: {{ .Values.injector.gid | default 1000 }}
+    #   runAsUser: {{ .Values.injector.uid | default 100 }}
+    #   fsGroup: {{ .Values.injector.gid | default 1000 }}
+    # and for container is
+    #    allowPrivilegeEscalation: false
+    #    capabilities:
+    #      drop:
+    #        - ALL
+    #securityContext:
+    #  pod: {}
+    #  container: {}
+    securityContext:
+    pod:
+      runAsNonRoot: true
+    container:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL

  resources: {}
  # resources:
@@ -1031,9 +1039,17 @@ server:
    # If not set, these will default to, and for OpenShift:
    # pod: {}
    # container: {}
-    securityContext:
-      pod: {}
-      container: {}
+    #securityContext:
+    #  pod: {}
+    #  container: {}
+  securityContext:
+    pod:
+      runAsNonRoot: true
+    container:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL

  # Should the server pods run on the host network
  hostNetwork: false