weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Configure HTTP01 solver Pod with readOnlyRootFilesystem

Browse Source 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
This commit is contained in:
Richard Wall 2023-10-31 14:47:24 +00:00
parent c8640908e7
commit 9b5dd86084
2 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/issuer/acme/http/pod.go
View File

@ -226,6 +226,7 @@ func (s *Solver) buildDefaultPod(ch *cmacme.Challenge) *corev1.Pod {
}, },
}, },
SecurityContext: &corev1.SecurityContext{ SecurityContext: &corev1.SecurityContext{
ReadOnlyRootFilesystem: ptr.To(true),
AllowPrivilegeEscalation: ptr.To(false), AllowPrivilegeEscalation: ptr.To(false),
Capabilities: &corev1.Capabilities{ Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"}, Drop: []corev1.Capability{"ALL"},

1
pkg/issuer/acme/http/pod_test.go
View File

@ -116,6 +116,7 @@ func TestEnsurePod(t *testing.T) {
}, },
}, },
SecurityContext: &corev1.SecurityContext{ SecurityContext: &corev1.SecurityContext{
ReadOnlyRootFilesystem: ptr.To(true),
AllowPrivilegeEscalation: ptr.To(false), AllowPrivilegeEscalation: ptr.To(false),
Capabilities: &corev1.Capabilities{ Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"}, Drop: []corev1.Capability{"ALL"},