From 763d7114a8b5e9667468143c61b06423b5b34c17 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <115724497+biswajit-9776@users.noreply.github.com>
Date: Thu, 9 Jan 2025 21:12:22 +0530
Subject: [PATCH] Added a PSS patch for cluster-jwks-proxy deployment (#2944)

* Added a PSS patch

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

* Added workflow path for pss_test.yaml

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

---------

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml               |  1 +
 .../PSS/patches/cluster-jwks-proxy.yaml       | 20 +++++++++++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 contrib/security/PSS/patches/cluster-jwks-proxy.yaml

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index d1dac7477c..48998f2412 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -11,6 +11,7 @@ on:
     - common/cert-manager/**
     - common/oauth2-proxy/**
     - common/istio*/**
+    - contrib/security/PSS/*
     - tests/gh-actions/install_istio-cni.sh
     - tests/gh-actions/install_multitenancy.sh
 
diff --git a/contrib/security/PSS/patches/cluster-jwks-proxy.yaml b/contrib/security/PSS/patches/cluster-jwks-proxy.yaml
new file mode 100644
index 0000000000..7935ec8a7a
--- /dev/null
+++ b/contrib/security/PSS/patches/cluster-jwks-proxy.yaml
@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cluster-jwks-proxy
+  namespace: istio-system
+spec:
+  template:
+    spec:
+      containers:
+      - name: kubectl-proxy
+        securityContext:
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
+          capabilities:
+            drop:
+            - ALL