fix: tighten securityContext to comply with restricted PSS (argoproj-labs#600)

makes argocd-image-updater compatible with restricted Pod Security Standard

Signed-off-by: Takeo Sawada <[email protected]>

Author: tsawada

manifests/base/deployment/argocd-image-updater-deployment.yaml

@@ -110,13 +110,24 @@ spec:
             port: 8080
           initialDelaySeconds: 3
           periodSeconds: 30
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
         - mountPath: /app/config
           name: image-updater-conf
         - mountPath: /app/config/ssh
           name: ssh-known-hosts
         - mountPath: /app/.ssh
           name: ssh-config
+        - mountPath: /tmp
+          name: tmp
       serviceAccountName: argocd-image-updater
       volumes:
       - configMap:
@@ -136,3 +147,5 @@ spec:
           name: argocd-image-updater-ssh-config
           optional: true
         name: ssh-config
+      - emptyDir: {}
+        name: tmp

manifests/install.yaml

@@ -193,13 +193,24 @@ spec:
             port: 8080
           initialDelaySeconds: 3
           periodSeconds: 30
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
         - mountPath: /app/config
           name: image-updater-conf
         - mountPath: /app/config/ssh
           name: ssh-known-hosts
         - mountPath: /app/.ssh
           name: ssh-config
+        - mountPath: /tmp
+          name: tmp
       serviceAccountName: argocd-image-updater
       volumes:
       - configMap:
@@ -219,3 +230,5 @@ spec:
           name: argocd-image-updater-ssh-config
           optional: true
         name: ssh-config
+      - emptyDir: {}
+        name: tmp