Merge pull request #49 from IBM/bha-code-engine-fix

Bhagyashreek8 · web-flow · commit c470d3e1c2a4 · 2024-10-24T18:02:06.000+05:30
add security params based on code engine review
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -71,6 +71,8 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
+          seccompProfile:
+              type: RuntimeDefault
           capabilities:
             drop:
               - "ALL"
diff --git a/controllers/syncer/csi_controller.go b/controllers/syncer/csi_controller.go
@@ -158,7 +158,12 @@ func (s *csiControllerSyncer) ensureContainersSpec() []corev1.Container {
 }
 
 func (s *csiControllerSyncer) ensureContainer(name, image string, args []string) corev1.Container {
-	sc := &corev1.SecurityContext{AllowPrivilegeEscalation: util.False()}
+	sc := &corev1.SecurityContext{
+		AllowPrivilegeEscalation: util.False(),
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+	}
 	fillSecurityContextCapabilities(sc)
 	return corev1.Container{
 		Name:  name,
diff --git a/controllers/syncer/csi_node.go b/controllers/syncer/csi_node.go
@@ -156,7 +156,11 @@ func (s *csiNodeSyncer) ensureContainersSpec() []corev1.Container {
 	)
 	registrar.SecurityContext = &corev1.SecurityContext{RunAsNonRoot: util.False(),
 		RunAsUser:  func(uid int64) *int64 { return &uid }(0),
-		Privileged: util.False()}
+		Privileged: util.False(),
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+	}
 	fillSecurityContextCapabilities(registrar.SecurityContext)
 	registrar.ImagePullPolicy = s.getCSINodeDriverRegistrarPullPolicy()
 	registrar.Resources = getSidecarResourceRequests(s.driver, constants.CSINodeDriverRegistrar)
