See internal go/k8s-security-validation-service-user-guide
Two changes:
The readOnlyRootFilesystem flag prevents an attacker from overriding the binary. For the GMP operator, I moved the certificate creation into an empty directory to avoid writing into the root filesystem.
We were missing seccompProfile for rule-evaluator, but we have it everywhere else.
Other warnings are more involved (such as trimming update RBAC permissions).
See internal go/k8s-security-validation-service-user-guide
Two changes:
readOnlyRootFilesystemflag prevents an attacker from overriding the binary. For the GMP operator, I moved the certificate creation into an empty directory to avoid writing into the root filesystem.seccompProfilefor rule-evaluator, but we have it everywhere else.Other warnings are more involved (such as trimming update RBAC permissions).