seccomp profile

Author: bennetthardwick

charts/primary-site/templates/cronjobs/garbage-collector.yaml

@@ -34,10 +34,16 @@ spec:
             - name: garbage-collector
               image: {{ .Values.garbageCollector.deployment.image }}:{{ .Chart.AppVersion }}
               securityContext:
+                readOnlyRootFilesystem: true
+                capabilities:
+                  drop:
+                    - ALL
                 allowPrivilegeEscalation: false
                 runAsNonRoot: true
                 runAsUser: 65534
                 runAsGroup: 65534
+                seccompProfile:
+                  type: RuntimeDefault
               volumeMounts:
                 - mountPath: /secrets
                   name: cloud-credentials

charts/primary-site/templates/deployments/_inbox-container.tpl

@@ -49,6 +49,8 @@ template:
           runAsNonRoot: true
           runAsUser: 65534
           runAsGroup: 65534
+          seccompProfile:
+            type: RuntimeDefault
         resources:
           requests:
             cpu: {{ .Values.inboxListener.deployment.resources.requests.cpu }}

charts/primary-site/templates/deployments/query-server.yaml

@@ -52,6 +52,8 @@ spec:
             runAsNonRoot: true
             runAsUser: 65534
             runAsGroup: 65534
+            seccompProfile:
+              type: RuntimeDefault
           resources:
             requests:
               cpu: {{ $values.deployment.resources.requests.cpu }}

charts/primary-site/templates/deployments/site-controller.yaml

@@ -44,6 +44,8 @@ spec:
             runAsNonRoot: true
             runAsUser: 65534
             runAsGroup: 65534
+            seccompProfile:
+              type: RuntimeDefault
           resources:
             requests:
               cpu: {{ .Values.siteController.deployment.resources.requests.cpu }}