Trying to harden argo workflows as referenced above.
Kaniko keeps failing, presumably because main container needs to be root.
However, I would expect it to stop retrying, but it is going on infinitely.
apiVersion: v1
kind: ConfigMap
metadata:
name: workflow-controller-configmap
data:
workflowDefaults: |
spec:
retryStrategy:
retryPolicy: Always
limit: 1
expression: 'lastRetry.status == "Error" or (lastRetry.status == "Failed" and asInt(lastRetry.exitCode) not in [0,1,2,3])'
mainContainer: |
serviceAccountName: workflow
securityContext:
runAsNonRoot: true
runAsUser: 8737
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
executor: |
serviceAccountName: workflow
securityContext:
runAsNonRoot: true
runAsUser: 8737
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
argo v3.3.3
References: https://www.datree.io/resources/argocd-best-practices-you-should-know https://blog.argoproj.io/practical-argo-workflows-hardening-dd8429acc1ce https://github.com/argoproj/argo-workflows/discussions/8544
Trying to harden argo workflows as referenced above. Kaniko keeps failing, presumably because main container needs to be root. However, I would expect it to stop retrying, but it is going on infinitely.