Specify securityContext for cert-manager (#9404)

On hardening environments, cert-manager pods could not be created
from the corresponding deployments. This adds the securityContext
to solve the issue.
This commit is contained in:
Kenichi Omichi 2022-10-20 16:57:08 +09:00 committed by GitHub
parent ccbe38f78c
commit 0374a55eb3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -870,6 +870,11 @@ spec:
fieldPath: metadata.namespace fieldPath: metadata.namespace
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop: ['ALL']
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{% if cert_manager_tolerations %} {% if cert_manager_tolerations %}
tolerations: tolerations:
{{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }} {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
@ -944,6 +949,11 @@ spec:
protocol: TCP protocol: TCP
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop: ['ALL']
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
env: env:
- name: POD_NAMESPACE - name: POD_NAMESPACE
valueFrom: valueFrom:
@ -1040,6 +1050,11 @@ spec:
failureThreshold: 3 failureThreshold: 3
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop: ['ALL']
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
env: env:
- name: POD_NAMESPACE - name: POD_NAMESPACE
valueFrom: valueFrom: