disable istio injection and set runasnonroot and user 185

Signed-off-by: juliusvonkohout <[email protected]>
kubeflow · Oct 15, 2024 · 006365f · 006365f
1 parent bf622f9
commit 006365f
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/contrib/spark/spark-operator/base/kustomization.yaml b/contrib/spark/spark-operator/base/kustomization.yaml
@@ -16,11 +16,39 @@ patches:
           capabilities:
             drop: ["ALL"]
           runAsNonRoot: true
+          runAsUser: 185
+          seccompProfile:
+            type: RuntimeDefault
+  - target:
+      kind: Deployment
+      labelSelector: "app.kubernetes.io/name=spark-operator"
+    patch: |-
+      - op: add
+        path: /spec/template/spec/containers/0/securityContext
+        value:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
+          runAsNonRoot: true
+          runAsUser: 185
           seccompProfile:
             type: RuntimeDefault
   - target:
       kind: Deployment
       name: spark-operator-webhook
+    patch: |-
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: spark-operator-webhook
+      spec:
+        template:
+          metadata:
+            annotations:
+              sidecar.istio.io/inject: "false"
+  - target:
+      kind: Deployment
+      name: spark-operator-controller
     patch: |-
       apiVersion: apps/v1
       kind: Deployment