security: Drop capabilities and enable seccomp

Further restricts the SecurityContext that the controller runs under, by enabling the default seccomp profile, dropping all linux capabilities. It also enforces the execution under user/group ID 65534 (aka nobody). This was set at container-level to ensure backwards compatibility with use cases in which more privileged sidecars are injected into the source-controller pod without setting less restrictive settings. Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
fluxcd · Dec 11, 2021 · c530c96 · c530c96
1 parent 3f5da11
commit c530c96
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/config/manager/deployment.yaml b/config/manager/deployment.yaml
@@ -20,9 +20,9 @@ spec:
         prometheus.io/port: "8080"
     spec:
       terminationGracePeriodSeconds: 10
-      # Required for AWS IAM Role bindings
-      # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
       securityContext:
+        # Required for AWS IAM Role bindings
+        # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
         fsGroup: 1337
       containers:
       - name: manager
@@ -31,6 +31,12 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
+          capabilities:
+            drop: [ "ALL" ]
+          runAsUser: 65534
+          runAsGroup: 65534
+          seccompProfile:
+            type: RuntimeDefault
         ports:
           - containerPort: 9090
             name: http