External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-03-04 02:01:04 -03:30
Code Issues Packages Projects Releases Wiki Activity

Specify securityContext for cert-manager (#9404)

Browse Source 
On hardening environments, cert-manager pods could not be created
from the corresponding deployments. This adds the securityContext
to solve the issue.
This commit is contained in:
Kenichi Omichi
2022-10-20 16:57:08 +09:00
committed by GitHub
parent ccbe38f78c
commit 0374a55eb3
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
View File

@@ -870,6 +870,11 @@ spec:
fieldPath: metadata.namespace fieldPath: metadata.namespace
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop: ['ALL']
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{% if cert_manager_tolerations %} {% if cert_manager_tolerations %}
tolerations: tolerations:
{{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }} {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
@@ -944,6 +949,11 @@ spec:
protocol: TCP protocol: TCP
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop: ['ALL']
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
env: env:
- name: POD_NAMESPACE - name: POD_NAMESPACE
valueFrom: valueFrom:
@@ -1040,6 +1050,11 @@ spec:
failureThreshold: 3 failureThreshold: 3
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop: ['ALL']
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
env: env:
- name: POD_NAMESPACE - name: POD_NAMESPACE
valueFrom: valueFrom: