outposts: set k8s deployment security context (#5163)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L 2023-04-05 13:36:46 +02:00 committed by GitHub
parent bb464aad50
commit 132a353b92
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 0 deletions

View File

@ -4,6 +4,7 @@ from typing import TYPE_CHECKING
from django.utils.text import slugify from django.utils.text import slugify
from kubernetes.client import ( from kubernetes.client import (
AppsV1Api, AppsV1Api,
V1Capabilities,
V1Container, V1Container,
V1ContainerPort, V1ContainerPort,
V1Deployment, V1Deployment,
@ -13,9 +14,12 @@ from kubernetes.client import (
V1LabelSelector, V1LabelSelector,
V1ObjectMeta, V1ObjectMeta,
V1ObjectReference, V1ObjectReference,
V1PodSecurityContext,
V1PodSpec, V1PodSpec,
V1PodTemplateSpec, V1PodTemplateSpec,
V1SeccompProfile,
V1SecretKeySelector, V1SecretKeySelector,
V1SecurityContext,
) )
from authentik import __version__, get_full_version from authentik import __version__, get_full_version
@ -103,6 +107,12 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
image_pull_secrets=[ image_pull_secrets=[
V1ObjectReference(name=secret) for secret in image_pull_secrets V1ObjectReference(name=secret) for secret in image_pull_secrets
], ],
security_context=V1PodSecurityContext(
run_as_non_root=True,
seccomp_profile=V1SeccompProfile(
type="RuntimeDefault",
),
),
containers=[ containers=[
V1Container( V1Container(
name=str(self.outpost.type), name=str(self.outpost.type),
@ -146,6 +156,12 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
), ),
), ),
], ],
security_context=V1SecurityContext(
allow_privilege_escalation=False,
capabilities=V1Capabilities(
drop=["ALL"],
),
),
) )
], ],
), ),