Enforce restricted PSS

vmware-tanzu · Sep 6, 2022 · e1a53d2 · e1a53d2
1 parent b89640c
commit e1a53d2
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -12,7 +12,7 @@ To begin contributing, please read the [contributing](CONTRIBUTING.md) doc.
 
 ## Installation and Usage
 
-The Cert Injection Webhook for Kubernetes is deployed using the [Carvel](hhttps://carvel.dev/) tool suite.
+The Cert Injection Webhook for Kubernetes is deployed using the [Carvel](https://carvel.dev/) tool suite.
 
 ### Install using kapp controller
 If you would like to install with [Tanzu Community Edition](https://tanzucommunityedition.io/). See [this guide](packaging/README.md)

diff --git a/config/_namespace.yaml b/config/_namespace.yaml
@@ -2,4 +2,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: cert-injection-webhook
+  name: cert-injection-webhook
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: v1.25
diff --git a/config/deployment.yaml b/config/deployment.yaml
@@ -33,9 +33,22 @@ spec:
         app: cert-injection-webhook
     spec:
       serviceAccountName: cert-injection-webhook-sa
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: "RuntimeDefault"
       containers:
         - name: server
           image: #@ data.values.webhook_image or assert.fail("missing webhook_image")
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            privileged: false
+            seccompProfile:
+              type: "RuntimeDefault"
+            capabilities:
+              drop:
+                - ALL
           imagePullPolicy: Always
           volumeMounts:
             - name: webhook-ca-cert