AFIK there is no way to configure buildpods
securitycontext to follow Kubernetes best security practices for untrusted containers .
securitycontext in the helm chart only applies to
policy.yaml doesn’t have an option to setup
.drone.yml for buildbot.
These following must be set in buildbots pod deployment so it passes the requirement for
restricted pod security standrad:
securityContext: capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault
Is there a workaround to apply above securitycontext or am I missing something?
This is really desired feature as buildbot are untrusted and must get very restricted. Buildbots are cause of major security attacks against clusters.