Skip to content

Commit

Permalink
More polex
Browse files Browse the repository at this point in the history
  • Loading branch information
@stone-z
stone-z committed Dec 20, 2024
1 parent 45c1ae7 commit eebff0c
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 4 deletions.
16 changes: 14 additions & 2 deletions helm/1password-scim-bridge/templates/kyverno-policy-exception.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,22 @@ metadata:
{{ include "onepassword-scim-bridge-helpers.labels" . | nindent 4 }}
spec:
exceptions:
- policyName: disallow-privileged-containers
ruleNames:
- autogen-privileged-containers
- privileged-containers
- policyName: disallow-privilege-escalation
ruleNames:
- autogen-privilege-escalation
- privilege-escalation
- policyName: require-run-as-non-root-user
ruleNames:
- autogen-run-as-non-root-user
- run-as-non-root-user
- policyName: require-run-as-nonroot
ruleNames:
- autogen-run-as-non-root
- run-as-non-root
- autogen-run-as-non-root
- run-as-non-root
match:
any:
- resources:
Expand Down
5 changes: 3 additions & 2 deletions helm/1password-scim-bridge/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,11 @@ op-scim-bridge:
imageRepository: quay.io/giantswarm/scim

initContainerSecurityContext:
allowPrivilegeEscalation: false
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
privileged: false
privileged: true
readOnlyRootFilesystem: false
runAsNonRoot: false
seccompProfile:
Expand All @@ -49,6 +49,7 @@ op-scim-bridge:
type: RuntimeDefault

podSecurityContext:
fsGroup: 999
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

0 comments on commit eebff0c

Please sign in to comment.