From e9e8264bbfe82f64722012812cc14614bfcedb25 Mon Sep 17 00:00:00 2001 From: biswajit-9776 Date: Wed, 8 Jan 2025 23:26:51 +0530 Subject: [PATCH] Added a patch for contrib/security/PSS/patches Signed-off-by: biswajit-9776 --- .github/workflows/pss_test.yaml | 4 +--- .../PSS/patches/cluster-jwks-proxy.yaml | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 3 deletions(-) create mode 100644 contrib/security/PSS/patches/cluster-jwks-proxy.yaml diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml index fdb237ee43..253235e68b 100644 --- a/.github/workflows/pss_test.yaml +++ b/.github/workflows/pss_test.yaml @@ -72,9 +72,7 @@ jobs: kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file" fi done - kubectl get pods -n istio-system - kubectl get cm -n istio-system - kubectl describe cm istio-sidecar-injector -n istio-system + sleep 100 - name: Apply Pod Security Standards baseline levels for static namespaces run: ./tests/gh-actions/enable_baseline_PSS.sh diff --git a/contrib/security/PSS/patches/cluster-jwks-proxy.yaml b/contrib/security/PSS/patches/cluster-jwks-proxy.yaml new file mode 100644 index 0000000000..2a640234cb --- /dev/null +++ b/contrib/security/PSS/patches/cluster-jwks-proxy.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cluster-jwks-proxy + namespace: istio-system +spec: + template: + spec: + containers: + - name: kubectl-proxy + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL