Specify securityContext for cert-manager (#9404)

On hardening environments, cert-manager pods could not be created from the corresponding deployments. This adds the securityContext to solve the issue.
2022-10-20 16:57:08 +09:00 · 2022-10-20 16:57:08 +09:00 · 0374a55eb3
commit 0374a55eb3
parent ccbe38f78c
1 changed files with 15 additions and 0 deletions
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
@ -870,6 +870,11 @@ spec:
                fieldPath: metadata.namespace
          securityContext:
            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ['ALL']
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
 {% if cert_manager_tolerations %}
      tolerations:
        {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
@ -944,6 +949,11 @@ spec:
            protocol: TCP
          securityContext:
            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ['ALL']
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
          env:
          - name: POD_NAMESPACE
            valueFrom:
@ -1040,6 +1050,11 @@ spec:
            failureThreshold: 3
          securityContext:
            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ['ALL']
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
          env:
          - name: POD_NAMESPACE
            valueFrom: