From d397aa546287f546bf3a55866fcef4213963fa60 Mon Sep 17 00:00:00 2001
From: Ivan <ivans@vaskir.co>
Date: Thu, 17 Mar 2022 00:46:35 +0100
Subject: [PATCH 1/2] update: Setting allowPrivilegeEscalation to false

Signed-off-by: Ivan <ivans@vaskir.co>
---
 pkg/issuer/acme/http/pod.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/issuer/acme/http/pod.go b/pkg/issuer/acme/http/pod.go
index 398e32592..79f37eaf2 100644
--- a/pkg/issuer/acme/http/pod.go
+++ b/pkg/issuer/acme/http/pod.go
@@ -202,6 +202,9 @@ func (s *Solver) buildDefaultPod(ch *cmacme.Challenge) *corev1.Pod {
 							ContainerPort: acmeSolverListenPort,
 						},
 					},
+					SecurityContext: &corev1.SecurityContext{
+						AllowPrivilegeEscalation: pointer.BoolPtr(false),
+					},
 				},
 			},
 		},

From 5c857d3737ecadd093350fb0a145ee9e3d2623fa Mon Sep 17 00:00:00 2001
From: Ivan <ivans@vaskir.co>
Date: Mon, 21 Mar 2022 17:17:28 +0100
Subject: [PATCH 2/2] update: Setting allowPrivilegeEscalation to false for
 controller, cainjector, webhook containers and for startupapicheck job

Signed-off-by: Ivan <ivans@vaskir.co>
---
 deploy/charts/cert-manager/values.yaml | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml
index a771c5512..e5b9d94eb 100644
--- a/deploy/charts/cert-manager/values.yaml
+++ b/deploy/charts/cert-manager/values.yaml
@@ -120,7 +120,8 @@ securityContext:
 
 # Container Security Context to be set on the controller component container
 # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-containerSecurityContext: {}
+containerSecurityContext:
+  allowPrivilegeEscalation: false
   # capabilities:
   #   drop:
   #   - ALL
@@ -237,7 +238,8 @@ webhook:
 
   # Container Security Context to be set on the webhook component container
   # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-  containerSecurityContext: {}
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
     # capabilities:
     #   drop:
     #   - ALL
@@ -372,7 +374,8 @@ cainjector:
 
   # Container Security Context to be set on the cainjector component container
   # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-  containerSecurityContext: {}
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
     # capabilities:
     #   drop:
     #   - ALL
@@ -449,6 +452,16 @@ startupapicheck:
   securityContext:
     runAsNonRoot: true
 
+  # Container Security Context to be set on the controller component container
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # readOnlyRootFilesystem: true
+    # runAsNonRoot: true
+
   # Timeout for 'kubectl check api' command
   timeout: 1m