feat: disable allowPrivilegeEscalation

traefik · Jul 13, 2023 · 9443225 · 9443225
1 parent 54fd8aa
commit 9443225
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/traefik/tests/pod-config_test.yaml b/traefik/tests/pod-config_test.yaml
@@ -31,6 +31,7 @@ tests:
       podSecurityContext:
         readOnlyRootFilesystem: false
       securityContext:
+        allowPrivilegeEscalation: true
         runAsUser: 1000
     asserts:
       - equal:
@@ -39,6 +40,9 @@ tests:
       - equal:
           path: spec.template.spec.securityContext.runAsNonRoot
           value: true
+      - equal:
+          path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
+          value: true
       - equal:
           path: spec.template.spec.containers[0].securityContext.runAsUser
           value: 1000

diff --git a/traefik/values.yaml b/traefik/values.yaml
@@ -563,15 +563,15 @@ ports:
     # NodePort.
     #
     # -- You SHOULD NOT expose the traefik port on production deployments.
-    # If you want to access it from outside of your cluster,
+    # If you want to access it from outside your cluster,
     # use `kubectl port-forward` or create a secure ingress
     expose: false
     # -- The exposed port for this service
     exposedPort: 9000
     # -- The port protocol (TCP/UDP)
     protocol: TCP
   web:
-    ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint.
+    ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.
     # asDefault: true
     port: 8000
     # hostPort: 8000
@@ -600,7 +600,7 @@ ports:
     #   trustedIPs: []
     #   insecure: false
   websecure:
-    ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicity set an entrypoint it will only use this entrypoint.
+    ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.
     # asDefault: true
     port: 8443
     # hostPort: 8443
@@ -666,7 +666,7 @@ ports:
     # NodePort.
     #
     # -- You may not want to expose the metrics port on production deployments.
-    # If you want to access it from outside of your cluster,
+    # If you want to access it from outside your cluster,
     # use `kubectl port-forward` or create a secure ingress
     expose: false
     # -- The exposed port for this service
@@ -880,14 +880,15 @@ topologySpreadConstraints: []
 priorityClassName: ""
 
 # -- Set the container security context
-# -- To run the container with ports below 1024 this will need to be adjust to run as root
+# -- To run the container with ports below 1024 this will need to be adjusted to run as root
 securityContext:
   capabilities:
     drop: [ALL]
   readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
 
 podSecurityContext:
-  # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and
+  # /!\ When setting fsGroup, Kubernetes will recursively change ownership and
   # permissions for the contents of each volume to match the fsGroup. This can
   # be an issue when storing sensitive content like TLS Certificates /!\
   # fsGroup: 65532