Skip to content

Commit

Permalink
Add security context to forwarder-vpp and nsmgr example manifests (ne…
Browse files Browse the repository at this point in the history 
…tworkservicemesh#6826)

Related PRs: cmd-nsmgr/networkservicemesh#547
	     cmd-forwarder-vpp/networkservicemesh#681

Signed-off-by: Laszlo Kiraly <laszlo.kiraly@est.tech>
  • Loading branch information
@ljkiraly
ljkiraly committed Oct 3, 2022
1 parent f427400 commit 30961cc
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 0 deletions.
7 changes: 7 additions & 0 deletions apps/forwarder-vpp/forwarder.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,13 @@ spec:
name: forwarder-vpp
securityContext:
privileged: true
runAsNonRoot: true
runAsUser: 10001
runAsGroup: 10001
capabilities:
drop:
- ALL
add: ["DAC_OVERRIDE", "SYS_ADMIN", "NET_ADMIN", "IPC_LOCK", "NET_RAW", "SYS_PTRACE", "SETGID"]
env:
- name: SPIFFE_ENDPOINT_SOCKET
value: unix:///run/spire/sockets/agent.sock
Expand Down
13 changes: 13 additions & 0 deletions apps/nsmgr/nsmgr.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@ spec:
"spiffe.io/spiffe-id": "true"
spec:
serviceAccount: nsmgr-sa
securityContext:
runAsNonRoot: true
runAsUser: 10001
runAsGroup: 10001
containers:
- image: ghcr.io/networkservicemesh/ci/cmd-nsmgr:5b232e8
imagePullPolicy: IfNotPresent
Expand Down Expand Up @@ -81,6 +85,11 @@ spec:
command: ["/bin/grpc-health-probe", "-spiffe", "-addr=:5001"]
failureThreshold: 25
periodSeconds: 5
securityContext:
capabilities:
drop:
- ALL
add: ["DAC_OVERRIDE"]
- image: ghcr.io/networkservicemesh/ci/cmd-exclude-prefixes-k8s:454b980
imagePullPolicy: IfNotPresent
name: exclude-prefixes
Expand All @@ -94,6 +103,10 @@ spec:
limits:
memory: 40Mi
cpu: 75m
securityContext:
capabilities:
drop:
- ALL
volumes:
- name: spire-agent-socket
hostPath:
Expand Down

0 comments on commit 30961cc

Please sign in to comment.