Pass security context to certgen job

Signed-off-by: Tamal Saha <tamal@appscode.com>
voyagermesh · May 22, 2024 · 0e2b9cd · 0e2b9cd
1 parent ccf0689
commit 0e2b9cd
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/charts/voyager-gateway/templates/certgen.yaml b/charts/voyager-gateway/templates/certgen.yaml
@@ -36,11 +36,17 @@ spec:
         image: {{ .Values.deployment.envoyGateway.image.repository }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
         imagePullPolicy: {{ .Values.deployment.envoyGateway.imagePullPolicy }}
         name: envoy-gateway-certgen
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 65534
+          runAsGroup: 65534
+          seccompProfile:
+            type: RuntimeDefault
       restartPolicy: Never
-      securityContext:
-        runAsGroup: 65534
-        runAsNonRoot: true
-        runAsUser: 65534
       serviceAccountName: {{ include "eg.fullname" . }}-certgen
   {{- if not ( kindIs "invalid" .Values.certgen.job.ttlSecondsAfterFinished) }}
   ttlSecondsAfterFinished: {{ .Values.certgen.job.ttlSecondsAfterFinished }}