diff --git a/jupyterhub/values.yaml b/jupyterhub/values.yaml index 73f28cdead..2750077ed5 100644 --- a/jupyterhub/values.yaml +++ b/jupyterhub/values.yaml @@ -89,11 +89,16 @@ hub: pullSecrets: [] resources: {} podSecurityContext: + runAsNonRoot: true fsGroup: 1000 + seccompProfile: + type: "RuntimeDefault" containerSecurityContext: runAsUser: 1000 runAsGroup: 1000 allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] lifecycle: {} loadRoles: {} services: {} @@ -197,9 +202,14 @@ proxy: chp: revisionHistoryLimit: containerSecurityContext: + runAsNonRoot: true runAsUser: 65534 # nobody user runAsGroup: 65534 # nobody group allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" image: name: quay.io/jupyterhub/configurable-http-proxy # tag is automatically bumped to new patch versions by the @@ -250,9 +260,14 @@ proxy: traefik: revisionHistoryLimit: containerSecurityContext: + runAsNonRoot: true runAsUser: 65534 # nobody user runAsGroup: 65534 # nobody group allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" image: name: traefik # tag is automatically bumped to new patch versions by the @@ -300,9 +315,14 @@ proxy: extraPodSpec: {} secretSync: containerSecurityContext: + runAsNonRoot: true runAsUser: 65534 # nobody user runAsGroup: 65534 # nobody group allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" image: name: quay.io/jupyterhub/k8s-secret-sync tag: "set-by-chartpress" @@ -481,9 +501,14 @@ scheduling: weight: 1 type: MostAllocated containerSecurityContext: + runAsNonRoot: true runAsUser: 65534 # nobody user runAsGroup: 65534 # nobody group allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" image: # IMPORTANT: Bumping the minor version of this binary should go hand in # hand with an inspection of the user-scheduelr's RBAC @@ -560,9 +585,14 @@ scheduling: labels: {} annotations: {} containerSecurityContext: + runAsNonRoot: true runAsUser: 65534 # nobody user runAsGroup: 65534 # nobody group allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" resources: {} corePods: tolerations: @@ -596,9 +626,14 @@ prePuller: annotations: {} resources: {} containerSecurityContext: + runAsNonRoot: true runAsUser: 65534 # nobody user runAsGroup: 65534 # nobody group allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" extraTolerations: [] # hook relates to the hook-image-awaiter Job and hook-image-puller DaemonSet hook: @@ -611,9 +646,14 @@ prePuller: pullPolicy: pullSecrets: [] containerSecurityContext: + runAsNonRoot: true runAsUser: 65534 # nobody user runAsGroup: 65534 # nobody group allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" podSchedulingWaitDuration: 10 nodeSelector: {} tolerations: [] @@ -628,9 +668,14 @@ prePuller: extraImages: {} pause: containerSecurityContext: + runAsNonRoot: true runAsUser: 65534 # nobody user runAsGroup: 65534 # nobody group allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" image: name: registry.k8s.io/pause # tag is automatically bumped to new patch versions by the