Skip to content

primary-site: restrict security context more#152

Merged
bennetthardwick merged 3 commits intomainfrom
bennett/add-more-security-context
Nov 17, 2025
Merged

primary-site: restrict security context more#152
bennetthardwick merged 3 commits intomainfrom
bennett/add-more-security-context

Conversation

@bennetthardwick
Copy link
Contributor

@bennetthardwick bennetthardwick commented Nov 14, 2025

Changelog

  • Restrict security context more with readonly root fs, dropped capabilities and seccomp profile

Docs

None

Description

Ensures the following is set for all pods:

securityContext:
  readOnlyRootFilesystem: true
  capabilities:
    drop:
      - ALL
  seccompProfile:
    type: RuntimeDefault

@bennetthardwick
Copy link
Contributor Author

bennetthardwick commented Nov 14, 2025

Tested this with a GCS cluster and seems to be working fine.

@bennetthardwick bennetthardwick marked this pull request as ready for review November 14, 2025 02:03
@bennetthardwick bennetthardwick merged commit 9d8e9c7 into main Nov 17, 2025
3 checks passed
@bennetthardwick bennetthardwick deleted the bennett/add-more-security-context branch November 17, 2025 03:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@james-rms james-rms james-rms approved these changes

@levlaz levlaz Awaiting requested review from levlaz

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bennetthardwick @james-rms