weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #4953 from ajvn/feature/allow-privilege-escalation

Browse Source 
update: Setting allowPrivilegeEscalation to false
This commit is contained in:
jetstack-bot 2022-03-22 11:01:47 +00:00 committed by GitHub
commit be15ce2279
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
deploy/charts/cert-manager/values.yaml
View File

@ -122,7 +122,8 @@ securityContext:
# Container Security Context to be set on the controller component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext: {}
containerSecurityContext:
allowPrivilegeEscalation: false
# capabilities:
# drop:
# - ALL
@ -239,7 +240,8 @@ webhook:
# Container Security Context to be set on the webhook component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext: {}
containerSecurityContext:
allowPrivilegeEscalation: false
# capabilities:
# drop:
# - ALL
@ -374,7 +376,8 @@ cainjector:
# Container Security Context to be set on the cainjector component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext: {}
containerSecurityContext:
allowPrivilegeEscalation: false
# capabilities:
# drop:
# - ALL
@ -451,6 +454,16 @@ startupapicheck:
securityContext:
runAsNonRoot: true
# Container Security Context to be set on the controller component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext:
allowPrivilegeEscalation: false
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# Timeout for 'kubectl check api' command
timeout: 1m

3
pkg/issuer/acme/http/pod.go
View File

@ -202,6 +202,9 @@ func (s *Solver) buildDefaultPod(ch *cmacme.Challenge) *corev1.Pod {
ContainerPort: acmeSolverListenPort,
},
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: pointer.BoolPtr(false),
},
},
},
},