Skip to content

Commit

Permalink
Securitycontext
Browse files Browse the repository at this point in the history
  • Loading branch information
stone-z committed Dec 20, 2024
1 parent 00bcc3b commit b143c15
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,10 @@ spec:
serviceAccountName: {{ tpl .Values.scim.name . }}
{{- end }}
{{- end }}
securityContext:
{{- with .Values.scim.podSecurityContext }}
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- with .Values.scim.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand Down Expand Up @@ -79,16 +83,20 @@ spec:
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.scim.initContainerSecurityContext }}
securityContext:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- end }}
containers:
- name: {{ tpl .Values.scim.name . }}
image: {{ .Values.scim.imageRepository }}:{{ tpl .Values.scim.version . }}
imagePullPolicy: {{ .Values.scim.imagePullPolicy }}
command: ["/op-scim/op-scim"]
{{- with .Values.scim.containerSecurityContext }}
securityContext:
runAsUser: 999
runAsGroup: 999
allowPrivilegeEscalation: false
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.scim.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 12 }}
Expand Down
32 changes: 32 additions & 0 deletions helm/1password-scim-bridge/values.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
# The name of this App starts with a number, which K8s doesn't allow in Service names.
# Fullname overrides are set for this chart and subcharts, but if that becomes a problem,
# it might be better to rename the whole App.
name: &name onepassword-scim-bridge

project:
Expand All @@ -16,3 +19,32 @@ op-scim-bridge:
scim:
name: *name
imageRepository: quay.io/giantswarm/scim

initContainerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

podSecurityContext:
runAsUser: 999
runAsGroup: 999
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

0 comments on commit b143c15

Please sign in to comment.