feat: set allowPrivilegeEscalation: false and drop capabilities

Author: joshiste

charts/steadybit-extension-prometheus/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: steadybit-extension-prometheus
 description: Steadybit Prometheus extension Helm chart for Kubernetes.
-version: 1.4.15
+version: 1.4.16
 appVersion: latest
 home: https://www.steadybit.com/
 icon: https://steadybit-website-assets.s3.amazonaws.com/logo-symbol-transparent.png

charts/steadybit-extension-prometheus/templates/deployment.yaml

@@ -80,6 +80,10 @@ spec:
             runAsNonRoot: true
             runAsUser: 10000
             runAsGroup: 10000
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
       volumes:
         {{- include "extensionlib.deployment.volumes" (list .) | nindent 8 }}
       serviceAccountName: {{ .Values.serviceAccount.name }}

charts/steadybit-extension-prometheus/tests/__snapshot__/deployment_test.yaml.snap

@@ -50,6 +50,10 @@ manifest should match snapshot using podAnnotations and Labels:
                   cpu: 50m
                   memory: 32Mi
               securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
                 readOnlyRootFilesystem: true
                 runAsGroup: 10000
                 runAsNonRoot: true
@@ -111,6 +115,10 @@ manifest should match snapshot with TLS:
                   cpu: 50m
                   memory: 32Mi
               securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
                 readOnlyRootFilesystem: true
                 runAsGroup: 10000
                 runAsNonRoot: true
@@ -182,6 +190,10 @@ manifest should match snapshot with extra env vars:
                   cpu: 50m
                   memory: 32Mi
               securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
                 readOnlyRootFilesystem: true
                 runAsGroup: 10000
                 runAsNonRoot: true
@@ -241,6 +253,10 @@ manifest should match snapshot with extra labels:
                   cpu: 50m
                   memory: 32Mi
               securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
                 readOnlyRootFilesystem: true
                 runAsGroup: 10000
                 runAsNonRoot: true
@@ -304,6 +320,10 @@ manifest should match snapshot with mutual TLS:
                   cpu: 50m
                   memory: 32Mi
               securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
                 readOnlyRootFilesystem: true
                 runAsGroup: 10000
                 runAsNonRoot: true
@@ -381,6 +401,10 @@ manifest should match snapshot with mutual TLS using containerPaths:
                   cpu: 50m
                   memory: 32Mi
               securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
                 readOnlyRootFilesystem: true
                 runAsGroup: 10000
                 runAsNonRoot: true
@@ -438,6 +462,10 @@ manifest should match snapshot without TLS:
                   cpu: 50m
                   memory: 32Mi
               securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
                 readOnlyRootFilesystem: true
                 runAsGroup: 10000
                 runAsNonRoot: true