AFIK there is no way to configure buildpods securitycontext to follow Kubernetes best security practices for untrusted containers . podsecuritycontext and securitycontext in the helm chart only applies to drone-runner-kube pod. policy.yaml doesn’t have an option to setup securitycontext nor .drone.yml for buildbot.
These following must be set in buildbots pod deployment so it passes the requirement for restricted pod security standrad:
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
Is there a workaround to apply above securitycontext or am I missing something?
This is really desired feature as buildbot are untrusted and must get very restricted. Buildbots are cause of major security attacks against clusters.