Merge "Run maas-rack and maas-region containers as non-privileged"

2019-03-19 15:05:34 +00:00 · 2019-03-19 15:05:34 +00:00 · cf2c328861
parent 20df4f6eaa 7857fdf2cf
commit cf2c328861
2 changed files with 16 additions and 2 deletions
--- a/charts/maas/templates/statefulset-rack.yaml
+++ b/charts/maas/templates/statefulset-rack.yaml
@ -75,7 +75,14 @@ spec:
          command:
            - /tmp/start.sh
          securityContext:
-            privileged: true
+            capabilities:
+              add:
+                - 'DAC_READ_SEARCH'
+                - 'NET_ADMIN'
+                - 'SYS_ADMIN'
+                - 'SYS_PTRACE'
+                - 'SYS_RESOURCE'
+                - 'SYS_TIME'
          readinessProbe:
            initialDelaySeconds: 60
            periodSeconds: 300
--- a/charts/maas/templates/statefulset-region.yaml
+++ b/charts/maas/templates/statefulset-region.yaml
@ -67,7 +67,14 @@ spec:
            tcpSocket:
              port: {{ tuple "maas_region" "podport" "region_api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
          securityContext:
-            privileged: true
+            capabilities:
+              add:
+                - 'SYS_ADMIN'
+                - 'NET_ADMIN'
+                - 'SYS_PTRACE'
+                - 'SYS_TIME'
+                - 'SYS_RESOURCE'
+                - 'DAC_READ_SEARCH'
          command:
            - /tmp/start.sh
          volumeMounts: