From eebff0c2ce1334f40aee0b7d302322d90540c67f Mon Sep 17 00:00:00 2001 From: Zach Stone Date: Fri, 20 Dec 2024 15:42:57 -0500 Subject: [PATCH] More polex --- .../templates/kyverno-policy-exception.yaml | 16 ++++++++++++++-- helm/1password-scim-bridge/values.yaml | 5 +++-- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/helm/1password-scim-bridge/templates/kyverno-policy-exception.yaml b/helm/1password-scim-bridge/templates/kyverno-policy-exception.yaml index d9e9ddb..51e8f63 100644 --- a/helm/1password-scim-bridge/templates/kyverno-policy-exception.yaml +++ b/helm/1password-scim-bridge/templates/kyverno-policy-exception.yaml @@ -14,10 +14,22 @@ metadata: {{ include "onepassword-scim-bridge-helpers.labels" . | nindent 4 }} spec: exceptions: + - policyName: disallow-privileged-containers + ruleNames: + - autogen-privileged-containers + - privileged-containers + - policyName: disallow-privilege-escalation + ruleNames: + - autogen-privilege-escalation + - privilege-escalation + - policyName: require-run-as-non-root-user + ruleNames: + - autogen-run-as-non-root-user + - run-as-non-root-user - policyName: require-run-as-nonroot ruleNames: - - autogen-run-as-non-root - - run-as-non-root + - autogen-run-as-non-root + - run-as-non-root match: any: - resources: diff --git a/helm/1password-scim-bridge/values.yaml b/helm/1password-scim-bridge/values.yaml index 9925fc9..0b97ebd 100644 --- a/helm/1password-scim-bridge/values.yaml +++ b/helm/1password-scim-bridge/values.yaml @@ -25,11 +25,11 @@ op-scim-bridge: imageRepository: quay.io/giantswarm/scim initContainerSecurityContext: - allowPrivilegeEscalation: false + allowPrivilegeEscalation: true capabilities: drop: - ALL - privileged: false + privileged: true readOnlyRootFilesystem: false runAsNonRoot: false seccompProfile: @@ -49,6 +49,7 @@ op-scim-bridge: type: RuntimeDefault podSecurityContext: + fsGroup: 999 runAsNonRoot: true seccompProfile: type: RuntimeDefault