Add SecurityContext to job container

Signed-off-by: raul <[email protected]>
rancher · Oct 17, 2023 · dad4c59 · dad4c59
1 parent 5f3ad58
commit dad4c59
Showing 1 changed file with 38 additions and 2 deletions.
diff --git a/internal/cmd/controller/controllers/git/git.go b/internal/cmd/controller/controllers/git/git.go
@@ -474,6 +474,16 @@ func (h *handler) OnChange(gitrepo *fleet.GitRepo, status fleet.GitRepoStatus) (
 									WorkingDir:      "/workspace/source",
 									VolumeMounts:    volumeMounts,
 									Env:             envs,
+									SecurityContext: &corev1.SecurityContext{
+										AllowPrivilegeEscalation: &[]bool{false}[0],
+										ReadOnlyRootFilesystem:   &[]bool{true}[0],
+										Privileged:               &[]bool{false}[0],
+										RunAsNonRoot:             &[]bool{true}[0],
+										SeccompProfile: &corev1.SeccompProfile{
+											Type: corev1.SeccompProfileTypeRuntimeDefault,
+										},
+										Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}},
+									},
 								},
 							},
 							NodeSelector: map[string]string{"kubernetes.io/os": "linux"},
@@ -600,9 +610,15 @@ func volumes(
 	gitrepo *fleet.GitRepo,
 	configMap *corev1.ConfigMap,
 ) ([]corev1.Volume, []corev1.VolumeMount) {
+	const (
+		emptyDirTmpVolumeName  = "fleet-tmp-empty-dir"
+		emptyDirHomeVolumeName = "fleet-home-empty-dir"
+		configVolumeName       = "config"
+	)
+
 	volumes := []corev1.Volume{
 		{
-			Name: "config",
+			Name: configVolumeName,
 			VolumeSource: corev1.VolumeSource{
 				ConfigMap: &corev1.ConfigMapVolumeSource{
 					LocalObjectReference: corev1.LocalObjectReference{
@@ -611,13 +627,33 @@ func volumes(
 				},
 			},
 		},
+		{
+			Name: emptyDirTmpVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
+		{
+			Name: emptyDirHomeVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
 	}
 
 	volumeMounts := []corev1.VolumeMount{
 		{
-			Name:      "config",
+			Name:      configVolumeName,
 			MountPath: "/run/config",
 		},
+		{
+			Name:      emptyDirTmpVolumeName,
+			MountPath: "/tmp",
+		},
+		{
+			Name:      emptyDirHomeVolumeName,
+			MountPath: "/home/fleet-apply",
+		},
 	}
 
 	if gitrepo.Spec.HelmSecretNameForPaths != "" {