Add pod security contexts

rgherta · rgherta · commit 285500fe111d · 2022-04-18T20:24:54.000+02:00
Enforces Pod Security Standards v1.23 Ensures HNC container process will comply with latest security rules, process isolation etc https://kubernetes.io/docs/concepts/security/pod-security-standards/ Tested: make test-e2e ran successful --- PASS: TestE2e (541.48s) PASS ok sigs.k8s.io/hierarchical-namespaces/test/e2e 541.484s
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -3,6 +3,8 @@ kind: Namespace
 metadata:
   labels:
     control-plane: controller-manager
+    pod-security.kubernetes.io/enforce: restricted  
+    pod-security.kubernetes.io/enforce-version: v1.23
   name: system
 ---
 apiVersion: apps/v1
@@ -57,6 +59,14 @@ spec:
         - containerPort: 8080
           name: metrics
           protocol: TCP
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop: ["ALL"]
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: cert
