diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml index 0f00343fb..e33ffe355 100644 --- a/deploy/charts/cert-manager/values.yaml +++ b/deploy/charts/cert-manager/values.yaml @@ -122,7 +122,8 @@ securityContext: # Container Security Context to be set on the controller component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -containerSecurityContext: {} +containerSecurityContext: + allowPrivilegeEscalation: false # capabilities: # drop: # - ALL @@ -239,7 +240,8 @@ webhook: # Container Security Context to be set on the webhook component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - containerSecurityContext: {} + containerSecurityContext: + allowPrivilegeEscalation: false # capabilities: # drop: # - ALL @@ -374,7 +376,8 @@ cainjector: # Container Security Context to be set on the cainjector component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - containerSecurityContext: {} + containerSecurityContext: + allowPrivilegeEscalation: false # capabilities: # drop: # - ALL @@ -451,6 +454,16 @@ startupapicheck: securityContext: runAsNonRoot: true + # Container Security Context to be set on the controller component container + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + containerSecurityContext: + allowPrivilegeEscalation: false + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # Timeout for 'kubectl check api' command timeout: 1m diff --git a/pkg/issuer/acme/http/pod.go b/pkg/issuer/acme/http/pod.go index 398e32592..79f37eaf2 100644 --- a/pkg/issuer/acme/http/pod.go +++ b/pkg/issuer/acme/http/pod.go @@ -202,6 +202,9 @@ func (s *Solver) buildDefaultPod(ch *cmacme.Challenge) *corev1.Pod { ContainerPort: acmeSolverListenPort, }, }, + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: pointer.BoolPtr(false), + }, }, }, },