From a35739ec17d3358a8520f6b6e45a2052cb2c886b Mon Sep 17 00:00:00 2001
From: romh <romh@dtu.dk>
Date: Wed, 6 Apr 2022 00:17:25 +0200
Subject: [PATCH] Fixes #181 Tested: ok     
 sigs.k8s.io/hierarchical-namespaces/internal/anchor     0.026s  coverage:
 14.9% of statements ok     
 sigs.k8s.io/hierarchical-namespaces/internal/config     0.049s  coverage:
 18.8% of statements ok     
 sigs.k8s.io/hierarchical-namespaces/internal/forest     0.043s  coverage:
 25.1% of statements ok     
 sigs.k8s.io/hierarchical-namespaces/internal/hierarchyconfig    0.099s 
 coverage: 23.8% of statements ok     
 sigs.k8s.io/hierarchical-namespaces/internal/hncconfig  0.023s  coverage:
 25.7% of statements ok     
 sigs.k8s.io/hierarchical-namespaces/internal/namespace  0.020s  coverage:
 59.8% of statements ok     
 sigs.k8s.io/hierarchical-namespaces/internal/objects    0.018s  coverage:
 35.3% of statements ok      sigs.k8s.io/hierarchical-namespaces/test/e2e   
 0.002s

---
 config/manager/manager.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index 87b3e7d11..8de59ebfd 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -3,6 +3,8 @@ kind: Namespace
 metadata:
   labels:
     control-plane: controller-manager
+    pod-security.kubernetes.io/enforce: restricted  
+    pod-security.kubernetes.io/enforce-version: v1.23
   name: system
 ---
 apiVersion: apps/v1
@@ -57,6 +59,14 @@ spec:
         - containerPort: 8080
           name: metrics
           protocol: TCP
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop: ["ALL"]
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: cert