MOB-148: rollback to enforcing resticted level + fixing PodSec problems

4 years ago · 7f07bf2c9e
parent a2a4fb98bc
commit 7f07bf2c9e
2 changed files with 5 additions and 7 deletions
--- a/config/kustomize/base/resources/deployment.yaml
+++ b/config/kustomize/base/resources/deployment.yaml
@ -14,10 +14,8 @@ spec:
        app: keycloak
    spec:
      securityContext:
-        allowPrivilegeEscalation: false
+        runAsUser: 2000
        runAsNonRoot: true
        capabilities:
          drop: ["ALL"]
        seccompProfile:
          type: RuntimeDefault
      containers:
@ -25,7 +23,9 @@ spec:
        image: staged-harbor-01.smardigo.digital/smardigo/keycloak:14.0.0.1
        imagePullPolicy: IfNotPresent
        securityContext:
-          runAsUser: 2000
+          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]
        ports:
        - name: app-port
          containerPort: 8080
--- a/config/kustomize/base/resources/namespace.yaml
+++ b/config/kustomize/base/resources/namespace.yaml
@ -3,9 +3,7 @@ kind: Namespace
 metadata:
  labels:
    kubernetes.io/metadata.name: sma-ums
-    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted
  name: sma-ums
 spec:
  finalizers: