fix: set securitycontext for server to something more secure

Signed-off-by: chgl <chgl@users.noreply.github.com>
2021-04-26 22:12:45 +02:00 · 2021-04-26 22:12:45 +02:00 · db34ae67b6
commit db34ae67b6
parent b652bdd757
2 changed files with 9 additions and 0 deletions
--- a/charts/argo-workflows/templates/server/server-deployment.yaml
+++ b/charts/argo-workflows/templates/server/server-deployment.yaml
@ -32,6 +32,8 @@ spec:
        - name: argo-server
          image: "{{ .Values.server.image.registry }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.images.pullPolicy }}
+          securityContext:
+            {{- toYaml .Values.server.securityContext | nindent 12 }}
          args:
          - server
          - --configmap={{ .Release.Name }}-{{ .Values.controller.name }}-configmap
--- a/charts/argo-workflows/values.yaml
+++ b/charts/argo-workflows/values.yaml
@ -172,6 +172,13 @@ server:
  podLabels: {}
  # SecurityContext to set on the server pods
  podSecurityContext: {}
+  securityContext:
+    readOnlyRootFilesystem: false
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
  name: server
  serviceType: ClusterIP
  servicePort: 2746