Skip to content

Commit b1865f4

Browse files
joshistejoshiste
committed
feat: set allowPrivilegeEscalation: false and drop capabilities
1 parent 96397e0 commit b1865f4

File tree

3 files changed

+33
-1
lines changed

3 files changed

+33
-1
lines changed

charts/steadybit-extension-http/Chart.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
apiVersion: v2
22
name: steadybit-extension-http
33
description: Steadybit action implementation to check HTTP endpoints.
4-
version: 1.0.14
4+
version: 1.0.15
55
appVersion: latest
66
home: https://www.steadybit.com/
77
icon: https://steadybit-website-assets.s3.amazonaws.com/logo-symbol-transparent.png

charts/steadybit-extension-http/templates/deployment.yaml

+4
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,10 @@ spec:
6464
runAsNonRoot: true
6565
runAsUser: 10000
6666
runAsGroup: 10000
67+
allowPrivilegeEscalation: false
68+
capabilities:
69+
drop:
70+
- ALL
6771
volumes:
6872
{{- include "extensionlib.deployment.volumes" (list .) | nindent 8 }}
6973
serviceAccountName: {{ .Values.serviceAccount.name }}

charts/steadybit-extension-http/tests/__snapshot__/deployment_test.yaml.snap

+28
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,10 @@ manifest should match snapshot using podAnnotations and Labels:
4646
cpu: 50m
4747
memory: 32Mi
4848
securityContext:
49+
allowPrivilegeEscalation: false
50+
capabilities:
51+
drop:
52+
- ALL
4953
readOnlyRootFilesystem: true
5054
runAsGroup: 10000
5155
runAsNonRoot: true
@@ -103,6 +107,10 @@ manifest should match snapshot with TLS:
103107
cpu: 50m
104108
memory: 32Mi
105109
securityContext:
110+
allowPrivilegeEscalation: false
111+
capabilities:
112+
drop:
113+
- ALL
106114
readOnlyRootFilesystem: true
107115
runAsGroup: 10000
108116
runAsNonRoot: true
@@ -170,6 +178,10 @@ manifest should match snapshot with extra env vars:
170178
cpu: 50m
171179
memory: 32Mi
172180
securityContext:
181+
allowPrivilegeEscalation: false
182+
capabilities:
183+
drop:
184+
- ALL
173185
readOnlyRootFilesystem: true
174186
runAsGroup: 10000
175187
runAsNonRoot: true
@@ -225,6 +237,10 @@ manifest should match snapshot with extra labels:
225237
cpu: 50m
226238
memory: 32Mi
227239
securityContext:
240+
allowPrivilegeEscalation: false
241+
capabilities:
242+
drop:
243+
- ALL
228244
readOnlyRootFilesystem: true
229245
runAsGroup: 10000
230246
runAsNonRoot: true
@@ -284,6 +300,10 @@ manifest should match snapshot with mutual TLS:
284300
cpu: 50m
285301
memory: 32Mi
286302
securityContext:
303+
allowPrivilegeEscalation: false
304+
capabilities:
305+
drop:
306+
- ALL
287307
readOnlyRootFilesystem: true
288308
runAsGroup: 10000
289309
runAsNonRoot: true
@@ -357,6 +377,10 @@ manifest should match snapshot with mutual TLS using containerPaths:
357377
cpu: 50m
358378
memory: 32Mi
359379
securityContext:
380+
allowPrivilegeEscalation: false
381+
capabilities:
382+
drop:
383+
- ALL
360384
readOnlyRootFilesystem: true
361385
runAsGroup: 10000
362386
runAsNonRoot: true
@@ -410,6 +434,10 @@ manifest should match snapshot without TLS:
410434
cpu: 50m
411435
memory: 32Mi
412436
securityContext:
437+
allowPrivilegeEscalation: false
438+
capabilities:
439+
drop:
440+
- ALL
413441
readOnlyRootFilesystem: true
414442
runAsGroup: 10000
415443
runAsNonRoot: true

0 commit comments

Comments
 (0)