update pod security context and switch to higher port

2025-03-31 03:45:17 +00:00 · 2020-10-22 00:41:25 -07:00 · 2020-10-22 00:41:25 -07:00 · ac2ab7b74e
commit ac2ab7b74e
parent 704e1aadd0
2 changed files with 31 additions and 12 deletions
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@ -1043,7 +1043,7 @@ metadata:
 spec:
  ports:
  - port: 443
-    targetPort: 443
+    targetPort: 9443
  selector:
    app: kyverno
 ---
@ -1064,10 +1064,13 @@ spec:
      labels:
        app: kyverno
    spec:
+      hostNetwork: false
+      hostPID: false
+      hostIPC: false
      containers:
      - args:
        - --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]
-        - -v=2
+        - -v=3
        env:
        - name: INIT_CONFIG
          value: init-config
@ -1077,13 +1080,13 @@ spec:
              fieldPath: metadata.namespace
        - name: KYVERNO_SVC
          value: kyverno-svc
-        image: nirmata/kyverno:v1.2.0
-        imagePullPolicy: Always
+        image: nirmata/kyverno:v1.2.0-22-g704e1aad
+        imagePullPolicy: Never
        livenessProbe:
          failureThreshold: 4
          httpGet:
            path: /health/liveness
-            port: 443
+            port: 9443
            scheme: HTTPS
          initialDelaySeconds: 5
          periodSeconds: 10
@ -1091,12 +1094,12 @@ spec:
          timeoutSeconds: 5
        name: kyverno
        ports:
-        - containerPort: 443
+        - containerPort: 9443
        readinessProbe:
          failureThreshold: 4
          httpGet:
            path: /health/readiness
-            port: 443
+            port: 9443
            scheme: HTTPS
          initialDelaySeconds: 5
          periodSeconds: 10
@ -1108,8 +1111,24 @@ spec:
          requests:
            cpu: 100m
            memory: 50Mi
+        securityContext:
+          runAsUser: 1000
+          runAsNonRoot: true
+          privileged: false
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - all
      initContainers:
      - image: nirmata/kyvernopre:v1.2.0
        imagePullPolicy: Always
        name: kyverno-pre
+        securityContext:
+          runAsUser: 1000
+          runAsNonRoot: true
+          privileged: false
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - all
      serviceAccountName: kyverno-service-account
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -44,7 +44,7 @@ import (

 // WebhookServer contains configured TLS server with MutationWebhook.
 type WebhookServer struct {
-	server        http.Server
+	server        *http.Server
 	client        *client.Client
 	kyvernoClient *kyvernoclient.Clientset

@ -209,8 +209,8 @@ func NewWebhookServer(
 		w.WriteHeader(http.StatusOK)
 	})

-	ws.server = http.Server{
-		Addr:         ":443", // Listen on port for HTTPS requests
+	ws.server = &http.Server{
+		Addr:         ":9443", // Listen on port for HTTPS requests
 		TLSConfig:    &tlsConfig,
 		Handler:      mux,
 		ReadTimeout:  15 * time.Second,
@ -507,12 +507,12 @@ func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) {
 		logger.Info("failed to sync informer cache")
 	}

-	go func(ws *WebhookServer) {
+	go func () {
 		logger.V(3).Info("started serving requests", "addr", ws.server.Addr)
 		if err := ws.server.ListenAndServeTLS("", ""); err != http.ErrServerClosed {
 			logger.Error(err, "failed to listen to requests")
 		}
-	}(ws)
+	}()
 	logger.Info("starting")

 	// verifies if the admission control is enabled and active