Fix CRD installation job's settings so it can get admitted by Kyverno…

… policies (#227)
giantswarm · Apr 2, 2024 · 13acef7 · 13acef7
1 parent 5f5e28c
commit 13acef7
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+
+- Fix CRD installation job's settings so it can get admitted by Kyverno policies
+
 ## [2.15.1] - 2024-04-02
 
 ### Added

diff --git a/helm/cluster-api-provider-aws/templates/crd-install/crd-job.yaml b/helm/cluster-api-provider-aws/templates/crd-install/crd-job.yaml
@@ -20,6 +20,7 @@ spec:
     spec:
       serviceAccountName: {{ include "capa.crdInstall" . }}
       securityContext:
+        readOnlyRootFilesystem: true
         runAsUser: 65534
         runAsGroup: 65534
         seccompProfile:
@@ -57,7 +58,14 @@ spec:
             cpu: 500m
             memory: 512Mi
         securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
           readOnlyRootFilesystem: true
+          runAsUser: 65534
+          runAsGroup: 65534
+          runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
       volumes: