mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

restrict cjs by PSS restricted checks (#5904)

Browse source 
Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting 2023-01-06 22:18:39 +08:00 committed by GitHub
parent c0875f16e6
commit c5277ccc44
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
pkg/controllers/cleanup/controller.go
View file

@ -156,6 +156,9 @@ func (c *controller) buildCronJob(cronJob *batchv1.CronJob, pol kyvernov2alpha1.
}
var successfulJobsHistoryLimit int32 = 0
var failedJobsHistoryLimit int32 = 1
var boolFalse bool = false
var boolTrue bool = true
var int1000 int64 = 1000
// set spec
cronJob.Spec = batchv1.CronJobSpec{
Schedule: pol.GetSpec().Schedule,
@ -178,6 +181,17 @@ func (c *controller) buildCronJob(cronJob *batchv1.CronJob, pol kyvernov2alpha1.
// "/tmp/ca.crt",
fmt.Sprintf("%s%s?policy=%s", c.cleanupService, CleanupServicePath, policyName),
},
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: &boolFalse,
RunAsNonRoot: &boolTrue,
RunAsUser: &int1000,
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
},
},
},
},