Update securityContext of netchecker (#9398)

To run netchecker with necessary privilege, this updates the securityContext.
2022-10-18 11:11:18 +09:00 · 2022-10-18 11:11:18 +09:00 · c38fb866b7
parent 5ad1d9db5e
commit c38fb866b7
1 changed files with 12 additions and 0 deletions
--- a/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2
@ -32,8 +32,14 @@ spec:
              cpu: {{ netchecker_server_cpu_requests }}
              memory: {{ netchecker_server_memory_requests }}
          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ['ALL']
            runAsUser: {{ netchecker_server_user | default('0') }}
            runAsGroup: {{ netchecker_server_group | default('0') }}
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
          ports:
            - containerPort: 8081
          args:
@ -63,8 +69,14 @@ spec:
              cpu: {{ netchecker_etcd_cpu_requests }}
              memory: {{ netchecker_etcd_memory_requests }}
          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ['ALL']
            runAsUser: {{ netchecker_server_user | default('0') }}
            runAsGroup: {{ netchecker_server_group | default('0') }}
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
      tolerations:
        - effect: NoSchedule
          operator: Exists