external-secrets/kubernetes-external-secrets

Default securityContext settings

gabegorelick opened this issue · 3 comments

#780 introduced the ability to set a container securityContext, while pod-level securityContext has been supported since #200. However, only runAsNonRoot is enabled by default.

Other settings that should potentially be enabled by default (subject to testing):

  • runAsUser: 1000
  • readOnlyRootFilesystem: true
  • allowPrivilegeEscalation, if no suid binaries are used
  • Drop unused capabilities

I've been running KES with allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, runAsUser: 1000, and capabilities: {drop: [all]} without any issues.

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

This issue was closed because it has been stalled for 30 days with no activity.