Browse Source

Merge "Run Divingbell containers as unprivileged"

Zuul 1 month ago
parent
commit
b8f2792eb6

+ 3
- 1
divingbell/templates/daemonset-apparmor.yaml View File

@@ -49,7 +49,9 @@ spec:
49 49
           subPath: {{ $daemonset }}
50 50
           readOnly: true
51 51
         securityContext:
52
-          privileged: true
52
+          capabilities:
53
+            add:
54
+              - 'MAC_ADMIN'
53 55
       volumes:
54 56
       - name: rootfs-{{ $daemonset }}
55 57
         hostPath:

+ 0
- 2
divingbell/templates/daemonset-apt.yaml View File

@@ -48,8 +48,6 @@ spec:
48 48
           mountPath: /tmp/{{ $daemonset }}.sh
49 49
           subPath: {{ $daemonset }}
50 50
           readOnly: true
51
-        securityContext:
52
-          privileged: true
53 51
       volumes:
54 52
       - name: rootfs-{{ $daemonset }}
55 53
         hostPath:

+ 3
- 1
divingbell/templates/daemonset-ethtool.yaml View File

@@ -51,7 +51,9 @@ spec:
51 51
           subPath: {{ $daemonset }}
52 52
           readOnly: true
53 53
         securityContext:
54
-          privileged: true
54
+          capabilities:
55
+            add:
56
+              - 'NET_ADMIN'
55 57
       volumes:
56 58
       - name: rootfs-{{ $daemonset }}
57 59
         hostPath:

+ 0
- 2
divingbell/templates/daemonset-limits.yaml View File

@@ -50,8 +50,6 @@ spec:
50 50
           mountPath: /tmp/{{ $daemonset }}.sh
51 51
           subPath: {{ $daemonset }}
52 52
           readOnly: true
53
-        securityContext:
54
-          privileged: true
55 53
       volumes:
56 54
       - name: rootfs-{{ $daemonset }}
57 55
         hostPath:

+ 0
- 2
divingbell/templates/daemonset-mounts.yaml View File

@@ -50,8 +50,6 @@ spec:
50 50
           mountPath: /tmp/{{ $daemonset }}.sh
51 51
           subPath: {{ $daemonset }}
52 52
           readOnly: true
53
-        securityContext:
54
-          privileged: true
55 53
       volumes:
56 54
       - name: rootfs-{{ $daemonset }}
57 55
         hostPath:

+ 0
- 2
divingbell/templates/daemonset-perm.yaml View File

@@ -50,8 +50,6 @@ spec:
50 50
           mountPath: /tmp/{{ $daemonset }}.sh
51 51
           subPath: {{ $daemonset }}
52 52
           readOnly: true
53
-        securityContext:
54
-          privileged: true
55 53
       volumes:
56 54
       - name: rootfs-{{ $daemonset }}
57 55
         hostPath:

+ 5
- 1
divingbell/templates/daemonset-sysctl.yaml View File

@@ -51,7 +51,11 @@ spec:
51 51
           subPath: {{ $daemonset }}
52 52
           readOnly: true
53 53
         securityContext:
54
-          privileged: true
54
+          capabilities:
55
+            add:
56
+              - 'SYS_PTRACE'
57
+              - 'SYS_ADMIN'
58
+              - 'SYS_RAWIO'
55 59
       volumes:
56 60
       - name: rootfs-{{ $daemonset }}
57 61
         hostPath:

+ 0
- 2
divingbell/templates/daemonset-uamlite.yaml View File

@@ -50,8 +50,6 @@ spec:
50 50
           mountPath: /tmp/{{ $daemonset }}.sh
51 51
           subPath: {{ $daemonset }}
52 52
           readOnly: true
53
-        securityContext:
54
-          privileged: true
55 53
       volumes:
56 54
       - name: rootfs-{{ $daemonset }}
57 55
         hostPath:

Loading…
Cancel
Save