Skip to content

Commit

Permalink
feat: set security capabilities for azwi-proxy
Browse files Browse the repository at this point in the history
Signed-off-by: Anish Ramasekar <[email protected]>
  • Loading branch information
aramase committed Apr 12, 2023
1 parent 6cea9db commit aace9aa
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 0 deletions.
9 changes: 9 additions & 0 deletions pkg/webhook/webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,15 @@ func (m *podMutator) injectProxySidecarContainer(containers []corev1.Container,
},
},
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: pointer.Bool(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Privileged: pointer.Bool(false),
ReadOnlyRootFilesystem: pointer.Bool(true),
RunAsNonRoot: pointer.Bool(true),
},
})

return containers
Expand Down
9 changes: 9 additions & 0 deletions pkg/webhook/webhook_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1092,6 +1092,15 @@ func TestInjectProxySidecarContainer(t *testing.T) {
},
},
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: pointer.Bool(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
Privileged: pointer.Bool(false),
ReadOnlyRootFilesystem: pointer.Bool(true),
RunAsNonRoot: pointer.Bool(true),
},
}

tests := []struct {
Expand Down

0 comments on commit aace9aa

Please sign in to comment.