Improve securityContext for operator Deployment

1. Restrict container from acquiring additional privileges (`securityContext.allowPrivilegeEscalation`) 2. Mount container's root filesystem as read only (`securityContext.readOnlyRootFilesystem`) 3. Ensure that container won't be started as privileged container (`securityContext.privileged`) Issue: #591
rancher · Jul 24, 2024 · b3e6966 · b3e6966
1 parent 52e378e
commit b3e6966
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/charts/aks-operator/templates/deployment.yaml b/charts/aks-operator/templates/deployment.yaml
@@ -39,6 +39,13 @@ spec:
           value: {{ .Values.httpsProxy }}
         - name: NO_PROXY
           value: {{ .Values.noProxy }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          privileged: false
+          capabilities:
+            drop:
+            - ALL
 {{- if .Values.additionalTrustedCAs }}
         # aks-operator mounts the additional CAs in two places:
         volumeMounts: