fix: tighten securityContext to comply with restricted PSS (#600)

makes argocd-image-updater compatible with restricted Pod Security Standard Signed-off-by: Takeo Sawada <myc.monad@gmail.com>
author: Takeo Sawada <myc.monad@gmail.com> 2023-08-16 00:07:09 +0900
committer: GitHub <noreply@github.com> 2023-08-15 11:07:09 -0400
commit: 31484fcaf05cc6033defcc14af391501f4d5699c (patch)
tree: ccf8494ec22f09f0470017f330d44063d25e1169 /manifests
parent: c6cce47e2ae47e5bd67f98d993be4f476f7cadfa (diff)
2 files changed, 26 insertions, 0 deletions
diff --git a/manifests/base/deployment/argocd-image-updater-deployment.yaml b/manifests/base/deployment/argocd-image-updater-deployment.yaml
index 1e430bf..5682ed7 100644
--- a/manifests/base/deployment/argocd-image-updater-deployment.yaml
+++ b/manifests/base/deployment/argocd-image-updater-deployment.yaml
@@ -98,6 +98,15 @@ spec:
             port: 8080
           initialDelaySeconds: 3
           periodSeconds: 30
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
         - mountPath: /app/config
           name: image-updater-conf
@@ -105,6 +114,8 @@ spec:
           name: ssh-known-hosts
         - mountPath: /app/.ssh
           name: ssh-config
+        - mountPath: /tmp
+          name: tmp
       serviceAccountName: argocd-image-updater
       volumes:
       - configMap:
@@ -124,3 +135,5 @@ spec:
           name: argocd-image-updater-ssh-config
           optional: true
         name: ssh-config
+      - emptyDir: {}
+        name: tmp
diff --git a/manifests/install.yaml b/manifests/install.yaml
index 640368d..b65b12b 100644
--- a/manifests/install.yaml
+++ b/manifests/install.yaml
@@ -181,6 +181,15 @@ spec:
             port: 8080
           initialDelaySeconds: 3
           periodSeconds: 30
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
         - mountPath: /app/config
           name: image-updater-conf
@@ -188,6 +197,8 @@ spec:
           name: ssh-known-hosts
         - mountPath: /app/.ssh
           name: ssh-config
+        - mountPath: /tmp
+          name: tmp
       serviceAccountName: argocd-image-updater
       volumes:
       - configMap:
@@ -207,3 +218,5 @@ spec:
           name: argocd-image-updater-ssh-config
           optional: true
         name: ssh-config
+      - emptyDir: {}
+        name: tmp
author	Takeo Sawada <myc.monad@gmail.com>	2023-08-16 00:07:09 +0900
committer	GitHub <noreply@github.com>	2023-08-15 11:07:09 -0400
commit	31484fcaf05cc6033defcc14af391501f4d5699c (patch)
tree	ccf8494ec22f09f0470017f330d44063d25e1169 /manifests
parent	c6cce47e2ae47e5bd67f98d993be4f476f7cadfa (diff)