Fix PSS restricted warnings (#2528)

akagami-harsh · web-flow · commit c9513c633df6 · 2025-04-29T16:33:02.000Z
* fix pss warnings

Signed-off-by: Harshvir Potpose &lt;hpotpose62@gmail.com&gt;

* fix mysql

Signed-off-by: Harshvir Potpose &lt;hpotpose62@gmail.com&gt;

---------

Signed-off-by: Harshvir Potpose &lt;hpotpose62@gmail.com&gt;
diff --git a/manifests/v1beta1/components/controller/controller.yaml b/manifests/v1beta1/components/controller/controller.yaml
@@ -58,6 +58,15 @@ spec:
               name: katib-config
               subPath: katib-config.yaml
               readOnly: true
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+              - ALL
       volumes:
         - name: cert
           secret:
diff --git a/manifests/v1beta1/components/db-manager/db-manager.yaml b/manifests/v1beta1/components/db-manager/db-manager.yaml
@@ -40,3 +40,12 @@ spec:
             initialDelaySeconds: 10
             periodSeconds: 60
             failureThreshold: 5
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+              - ALL
diff --git a/manifests/v1beta1/components/mysql/mysql.yaml b/manifests/v1beta1/components/mysql/mysql.yaml
@@ -20,6 +20,9 @@ spec:
       annotations:
         sidecar.istio.io/inject: "false"
     spec:
+      securityContext:
+        fsGroup: 999
+        fsGroupChangePolicy: OnRootMismatch
       containers:
         - name: katib-mysql
           image: mysql:8.0.29
@@ -68,6 +71,16 @@ spec:
           volumeMounts:
             - name: katib-mysql
               mountPath: /var/lib/mysql
+          securityContext:
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
+            runAsNonRoot: true
+            runAsUser: 999
+            runAsGroup: 999
+            capabilities:
+              drop:
+              - ALL
       volumes:
         - name: katib-mysql
           persistentVolumeClaim:
diff --git a/manifests/v1beta1/components/ui/ui.yaml b/manifests/v1beta1/components/ui/ui.yaml
@@ -33,4 +33,13 @@ spec:
           ports:
             - name: ui
               containerPort: 8080
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+              - ALL
       serviceAccountName: katib-ui
