You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* bridge-marker, scc: Drop unnecessary host volume privileges in SCC
- Disallow hostDir volume plugins.
- Restrict volume types to configMap and emptyDir.
- Restrict volumes access to basic folders. Projected volume is required
for ServiceAccount token mounts.
Signed-off-by: Ram Lavi <[email protected]>
* bridge-marker: mount writable /tmp to support runtime dependencies
As a preliminary step to the next commit where runtime dependencies are
hardened, mounting /tmp. This is required for compatibility with Go
libraries and client-go when using readOnlyRootFilesystem.
This commit mounts an emptyDir at /tmp to provide writable scratch space
for the container.
This change should also occur on the repo itself, but until it does, and
in order to allow for smooth bump when it occurs - it should stay.
Signed-off-by: Ram Lavi <[email protected]>
* bridge-marker, scc: Enforce stricter runtime restrictions
- Enable readOnlyRootFilesystem for better container isolation.
- Require containers to run as non-root users.
- Set SELinux context type to MustRunAs for confinement.
Signed-off-by: Ram Lavi <[email protected]>
* ds/bridge-marker: Add securityContext to enforce non-root UID and read-only rootfs
- Configure container to run as non-root user explicitly (UID 1001).
- Enable read-only root filesystem at container level.
- Ensure consistent non-root enforcement across architectures.
This change should also occur on the repo itself, but until it does, and
in order to allow for smooth bump when it occurs - it should stay.
Signed-off-by: Ram Lavi <[email protected]>
---------
Signed-off-by: Ram Lavi <[email protected]>
0 commit comments