chore: Add securitycontext for PSS PoC (rootless Kubeflow) (#2939)

* chore: Add securitycontext for PSS PoC (rootless Kubeflow) Signed-off-by: biswassri <[email protected]> * update PSS for dex Signed-off-by: biswassri <[email protected]> * reverse volume-mount change for dex-deploy Signed-off-by: biswassri <[email protected]> * alignment change for dex Signed-off-by: biswassri <[email protected]> * remove patches from contrib/security Signed-off-by: biswassri <[email protected]> --------- Signed-off-by: biswassri <[email protected]>
kubeflow · Jan 20, 2025 · 26dadec · 26dadec
1 parent 7fa1a5b
commit 26dadec
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 36 deletions.
diff --git a/common/dex/base/deployment.yaml b/common/dex/base/deployment.yaml
@@ -22,6 +22,14 @@ spec:
         ports:
         - name: http
           containerPort: 5556
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
         volumeMounts:
         - name: config
           mountPath: /etc/dex/cfg

diff --git a/common/oauth2-proxy/base/deployment.yaml b/common/oauth2-proxy/base/deployment.yaml
@@ -70,6 +70,14 @@ spec:
             configMapKeyRef:
               name: oauth2-proxy-parameters
               key: EXTRA_JWT_ISSUERS
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
         volumeMounts:
         - name: oauth2-proxy-config
           mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg

diff --git a/contrib/security/PSS/patches/dex.yaml b/contrib/security/PSS/patches/dex.yaml
diff --git a/contrib/security/PSS/patches/oauth2-proxy.yaml b/contrib/security/PSS/patches/oauth2-proxy.yaml