Open gabor-one opened 3 months ago
Currently, only the "runAsUser" option is set in the controller's container securityContext.
securityContext: runAsUser: 101
Official Azure policies expect "allowPrivilegeEscalation" to be declared false. Kubernetes clusters should not allow container privilege escalation Azure policy Gatekeeper template: k8sazurev3noprivilegeescalation
I propose to upgrade the securityContext to match the official "restricted" pod security standard. Official pod security standards documentation.
Proposed securityContext:
spec: template: spec: containers: - name: controller securityContext: runAsUser: 101 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault capabilities: drop: - ALL
Working on #192 to address this.
Currently, only the "runAsUser" option is set in the controller's container securityContext.
Official Azure policies expect "allowPrivilegeEscalation" to be declared false. Kubernetes clusters should not allow container privilege escalation Azure policy Gatekeeper template: k8sazurev3noprivilegeescalation
I propose to upgrade the securityContext to match the official "restricted" pod security standard. Official pod security standards documentation.
Proposed securityContext: