feat: make zarf-agent pods comply with offical restricted pod security standard (#3036)

Ansible-man · Cade Thomas · schristoff · web-flow · commit 785feeb306c4 · 2024-11-01T17:30:09.000Z
Signed-off-by: Cade Thomas &lt;cadethomas23@gmail.com&gt;
Signed-off-by: schristoff &lt;28318173+schristoff@users.noreply.github.com&gt;
Signed-off-by: dependabot[bot] &lt;support@github.com&gt;
Co-authored-by: Cade Thomas &lt;cade.thomas@atlas-inno.com&gt;
Co-authored-by: schristoff &lt;28318173+schristoff@users.noreply.github.com&gt;
Co-authored-by: Austin Abro &lt;37223396+AustinAbro321@users.noreply.github.com&gt;
Co-authored-by: dependabot[bot] &lt;49699333+dependabot[bot]@users.noreply.github.com&gt;
diff --git a/packages/zarf-agent/manifests/deployment.yaml b/packages/zarf-agent/manifests/deployment.yaml
@@ -21,6 +21,13 @@ spec:
         - name: private-registry
       priorityClassName: system-node-critical
       serviceAccountName: zarf
+      # Security context to comply with restricted PSS
+      securityContext:
+        runAsUser: 1000
+        fsGroup: 2000
+        runAsGroup: 2000
+        seccompProfile:
+          type: "RuntimeDefault"
       containers:
         - name: server
           image: "###ZARF_REGISTRY###/###ZARF_CONST_AGENT_IMAGE###:###ZARF_CONST_AGENT_IMAGE_TAG###"
@@ -32,6 +39,12 @@ spec:
               scheme: HTTPS
           ports:
             - containerPort: 8443
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop: ["ALL"]
           resources:
             requests:
               memory: "32Mi"
