Specify securityContext for cert-manager (#9404)

On hardening environments, cert-manager pods could not be created from the corresponding deployments. This adds the securityContext to solve the issue.

Specify securityContext for cert-manager (#9404)
0374a55e · Kenichi Omichi · GitHub · ccbe38f7 · 0374a55e
Unverified Commit 0374a55e authored 2 years ago by Kenichi Omichi Committed by GitHub 2 years ago
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
@@ -870,6 +870,11 @@ spec:
                fieldPath: metadata.namespace
          securityContext:
            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ['ALL']
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
 {% if cert_manager_tolerations %}
      tolerations:
        {{ cert_manager_tolerations | to_nice_yaml(indent=2) | indent(width=8) }}
@@ -944,6 +949,11 @@ spec:
            protocol: TCP
          securityContext:
            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ['ALL']
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
          env:
          - name: POD_NAMESPACE
            valueFrom:
@@ -1040,6 +1050,11 @@ spec:
            failureThreshold: 3
          securityContext:
            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ['ALL']
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
          env:
          - name: POD_NAMESPACE
            valueFrom: