Merge pull request #151 from 1Password/fix/security_vulnerabilities

volodymyrZotov · web-flow · commit fe930fef052d · 2023-03-01T08:20:27.000-06:00
Add runAsNonRoot: true and allowPrivilegeEscalation: false to the specs
diff --git a/config/connect/deployment.yaml b/config/connect/deployment.yaml
@@ -12,6 +12,8 @@ spec:
         app: onepassword-connect
         version: "1.0.0"
     spec:
+      securityContext:
+        runAsNonRoot: true
       volumes:
         - name: shared-data
           emptyDir: {}
@@ -32,6 +34,8 @@ spec:
       containers:
         - name: connect-api
           image: 1password/connect-api:latest
+          securityContext:
+            allowPrivilegeEscalation: false
           resources:
             limits:
               memory: "128Mi"
@@ -49,6 +53,8 @@ spec:
               name: shared-data
         - name: connect-sync
           image: 1password/connect-sync:latest
+          securityContext:
+            allowPrivilegeEscalation: false
           resources:
             limits:
               memory: "128Mi"
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
@@ -8,6 +8,8 @@ metadata:
 spec:
   template:
     spec:
+      securityContext:
+        runAsNonRoot: true
       containers:
       - name: kube-rbac-proxy
         securityContext:
diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml
@@ -6,6 +6,8 @@ metadata:
 spec:
   template:
     spec:
+      securityContext:
+        runAsNonRoot: true
       containers:
       - name: manager
         args:
