From c38fb866b7b85ab8dedb30c8220fa1a27e1209c4 Mon Sep 17 00:00:00 2001
From: Kenichi Omichi <ken1ohmichi@gmail.com>
Date: Tue, 18 Oct 2022 11:11:18 +0900
Subject: [PATCH] Update securityContext of netchecker (#9398)

To run netchecker with necessary privilege,
this updates the securityContext.
---
 .../templates/netchecker-server-deployment.yml.j2    | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2
index bd36af8d0..edda5c5b2 100644
--- a/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2
@@ -32,8 +32,14 @@ spec:
               cpu: {{ netchecker_server_cpu_requests }}
               memory: {{ netchecker_server_memory_requests }}
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ['ALL']
             runAsUser: {{ netchecker_server_user | default('0') }}
             runAsGroup: {{ netchecker_server_group | default('0') }}
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
           ports:
             - containerPort: 8081
           args:
@@ -63,8 +69,14 @@ spec:
               cpu: {{ netchecker_etcd_cpu_requests }}
               memory: {{ netchecker_etcd_memory_requests }}
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ['ALL']
             runAsUser: {{ netchecker_server_user | default('0') }}
             runAsGroup: {{ netchecker_server_group | default('0') }}
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
       tolerations:
         - effect: NoSchedule
           operator: Exists
-- 
GitLab