From 4f6ad070f4c2fead4a1e42401bded102b61caadf Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Mon, 5 Feb 2024 21:11:57 +0100
Subject: [PATCH] fix(vpa): Add missing security context settings for PSS
 restricted

---
 infrastructure/vpa/deployment-patch.yaml |  9 +++++++++
 infrastructure/vpa/kustomization.yaml    | 15 ++++++++++++---
 2 files changed, 21 insertions(+), 3 deletions(-)
 create mode 100644 infrastructure/vpa/deployment-patch.yaml

diff --git a/infrastructure/vpa/deployment-patch.yaml b/infrastructure/vpa/deployment-patch.yaml
new file mode 100644
index 000000000..839f86db7
--- /dev/null
+++ b/infrastructure/vpa/deployment-patch.yaml
@@ -0,0 +1,9 @@
+- op: add
+  path: /spec/template/spec/containers/0/securityContext
+  value:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile: RuntimeDefault
+
diff --git a/infrastructure/vpa/kustomization.yaml b/infrastructure/vpa/kustomization.yaml
index cf18a9532..ccb0a0498 100644
--- a/infrastructure/vpa/kustomization.yaml
+++ b/infrastructure/vpa/kustomization.yaml
@@ -1,14 +1,23 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: vpa-system
+
+commonLabels:
+  app.kubernetes.io/name: vertical-pod-autoscaler
+  app.kubernetes.io/instance: vpa-system
+
+
 resources:
   - namespace.yaml
   - certificate.yaml
   - https://git.shivering-isles.com/github-mirror/kubernetes/autoscaler.git//vertical-pod-autoscaler/deploy?ref=vpa-release-1.0
 
-commonLabels:
-  app.kubernetes.io/name: vertical-pod-autoscaler
-  app.kubernetes.io/instance: vpa-system
+patches:
+  - path: deployment-patch.yaml
+    target:
+      version: v1
+      group: apps
+      kind: Deployment
 
 components:
   - ../../shared/components/namespace-restricted
-- 
GitLab