Add container security context to the sample deployment specs

Run under strict rules. We shouldn't need any special privileges.
2025-03-28 02:37:11 +00:00 · 2020-05-28 15:16:15 +03:00 · 2020-05-28 15:16:15 +03:00 · 3cd2d34ea7
commit 3cd2d34ea7
parent 855bf34190
4 changed files with 30 additions and 0 deletions
--- a/nfd-daemonset-combined.yaml.template
+++ b/nfd-daemonset-combined.yaml.template
@ -64,6 +64,12 @@ spec:
                fieldPath: spec.nodeName
          image: quay.io/kubernetes_incubator/node-feature-discovery:v0.5.0
          name: nfd-master
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
          command:
            - "nfd-master"
        - env:
@ -73,6 +79,12 @@ spec:
                fieldPath: spec.nodeName
          image: quay.io/kubernetes_incubator/node-feature-discovery:v0.5.0
          name: nfd-worker
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
          command:
            - "nfd-worker"
          args:
--- a/nfd-master.yaml.template
+++ b/nfd-master.yaml.template
@ -79,6 +79,12 @@ spec:
                fieldPath: spec.nodeName
          image: quay.io/kubernetes_incubator/node-feature-discovery:v0.5.0
          name: nfd-master
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
          command:
            - "nfd-master"
 ## Enable TLS authentication
--- a/nfd-worker-daemonset.yaml.template
+++ b/nfd-worker-daemonset.yaml.template
@ -23,6 +23,12 @@ spec:
                fieldPath: spec.nodeName
          image: quay.io/kubernetes_incubator/node-feature-discovery:v0.5.0
          name: nfd-worker
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
          command:
            - "nfd-worker"
          args:
--- a/nfd-worker-job.yaml.template
+++ b/nfd-worker-job.yaml.template
@ -32,6 +32,12 @@ spec:
                fieldPath: spec.nodeName
          image: quay.io/kubernetes_incubator/node-feature-discovery:v0.5.0
          name: nfd-worker
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
          command:
            - "nfd-worker"
          args: