Merge pull request #1366 from dod-ccpo/disable-pod-escalation

Disable container privilege escalation.
2020-01-29 09:12:53 -05:00 · 2020-01-29 09:12:53 -05:00 · 5d8ee82a31
commit 5d8ee82a31
parent 08f42e7a8a 81a41a632a
3 changed files with 12 additions and 0 deletions
--- a/deploy/azure/azure.yml
+++ b/deploy/azure/azure.yml
@ -29,6 +29,8 @@ spec:
      containers:
        - name: atst
          image: $CONTAINER_IMAGE
          securityContext:
            allowPrivilegeEscalation: false
          env:
            - name: UWSGI_PROCESSES
              value: "2"
@ -64,6 +66,8 @@ spec:
              cpu: 940m
        - name: nginx
          image: nginx:alpine
          securityContext:
            allowPrivilegeEscalation: false
          ports:
            - containerPort: 8342
              name: main-upgrade
@ -189,6 +193,8 @@ spec:
      containers:
        - name: atst-worker
          image: $CONTAINER_IMAGE
          securityContext:
            allowPrivilegeEscalation: false
          args:
            [
              "/opt/atat/atst/.venv/bin/python",
@ -261,6 +267,8 @@ spec:
      containers:
        - name: atst-beat
          image: $CONTAINER_IMAGE
          securityContext:
            allowPrivilegeEscalation: false
          args:
            [
              "/opt/atat/atst/.venv/bin/python",
--- a/deploy/azure/crls-sync.yaml
+++ b/deploy/azure/crls-sync.yaml
@ -20,6 +20,8 @@ spec:
          containers:
          - name: crls
            image: $CONTAINER_IMAGE
            securityContext:
              allowPrivilegeEscalation: false
            command: [
              "/bin/sh", "-c"
            ]
--- a/deploy/shared/migration.yaml
+++ b/deploy/shared/migration.yaml
@ -16,6 +16,8 @@ spec:
      containers:
      - name: migration
        image: $CONTAINER_IMAGE
        securityContext:
          allowPrivilegeEscalation: false
        command: [
          "/bin/sh", "-c"
        ]