Skip to content

Commit

Permalink
Merge pull request #145 from jemag/security-context
Browse files Browse the repository at this point in the history
Set strong securityContext by default
  • Loading branch information
pierluigilenoci authored Jul 10, 2023
2 parents 081d2a3 + 2583241 commit c9ffb3b
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 6 deletions.
2 changes: 1 addition & 1 deletion helm/oauth2-proxy/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: oauth2-proxy
version: 6.13.2
version: 6.14.0
apiVersion: v2
appVersion: 7.4.0
home: https://oauth2-proxy.github.io/oauth2-proxy/
Expand Down
3 changes: 1 addition & 2 deletions helm/oauth2-proxy/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -174,8 +174,7 @@ Parameter | Description | Default
`serviceAccount.name` | the service account name | ``
`serviceAccount.annotations` | (optional) annotations for the service account | `{}`
`tolerations` | list of node taints to tolerate | `[]`
`securityContext.enabled` | enable Kubernetes security context on container | `false`
`securityContext.runAsNonRoot` | make sure that the container runs as a non-root user | `true`
`securityContext.enabled` | enable Kubernetes security context on container | `true`
`proxyVarsAsSecrets` | choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true`
`sessionStorage.type` | Session storage type which can be one of the following: cookie or redis | `cookie`
`sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""`
Expand Down
13 changes: 10 additions & 3 deletions helm/oauth2-proxy/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -235,10 +235,17 @@ readinessProbe:
# Configure Kubernetes security context for container
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
enabled: false
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
# allowPrivilegeEscalation: false
# runAsUser: 2000
runAsUser: 2000
runAsGroup: 2000
seccompProfile:
type: RuntimeDefault

deploymentAnnotations: {}
podAnnotations: {}
Expand Down

0 comments on commit c9ffb3b

Please sign in to comment.