From 934f52d3eab48d82a43dc7f92463285d705d55cc Mon Sep 17 00:00:00 2001 From: toumi Date: Wed, 9 Sep 2020 00:49:20 -0400 Subject: [PATCH] good one --- deployment.yaml | 40 ++++++++++++++++++++++++++++++++++------ 1 file changed, 34 insertions(+), 6 deletions(-) diff --git a/deployment.yaml b/deployment.yaml index 5fc3833..cf73e06 100644 --- a/deployment.yaml +++ b/deployment.yaml @@ -12,11 +12,39 @@ spec: metadata: labels: app: sample-app + annotations: + container.apparmor.security.beta.kubernetes.io/sample-app: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default spec: containers: - - command: - - /app/sample-app - image: gitopsbook/sample-app:v0.1 - name: sample-app - ports: - - containerPort: 8080 + - command: + - /app/sample-app + image: gitopsbook/sample-app:v0.1 + name: sample-app + ports: + - containerPort: 8080 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - NET_RAW + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: false + automountServiceAccountToken: false + strategy: {} +# sgined doc