-
I have the below controller configmap on v3.4.7. apiVersion: v1
kind: ConfigMap
metadata:
name: workflow-controller-configmap
data:
# https://blog.argoproj.io/practical-argo-workflows-hardening-dd8429acc1ce
mainContainer: |
securityContext:
runAsNonRoot: true
runAsUser: 8737
runAsGroup: 8737
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
executor: |
securityContext:
runAsNonRoot: true
runAsUser: 8737
runAsGroup: 8737
privileged: false
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
workflowDefaults: |
spec:
securityContext:
runAsNonRoot: true
runAsUser: 8737
runAsGroup: 8737 I am trying to remove I've tried setting capabilities to I've tried setting drop to e.g. securityContext:
runAsUser: 1000
runAsGroup: 1000
capabilities: null securityContext:
runAsUser: 1000
runAsGroup: 1000
capabilities: {} But when I check the yaml of my pod, the container's securityContext capabilities is still drop all. Referencing @alexec 's blog post And helm's deleting a default key |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
Seems like a bug. The logic here needs to be revisited: https://github.com/argoproj/argo-workflows/blob/master/workflow/controller/workflowpod.go#L607-L629 |
Beta Was this translation helpful? Give feedback.
Looks like an issue was filed for this in #11130, so closing this discussion as superseded