add security params based on code engine review

Bhagyashreek8 · Bhagyashreek8 · commit f71b826acde3 · 2024-10-21T15:26:15.000+05:30
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -71,6 +71,8 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
+          seccompProfile:
+              type: RuntimeDefault
           capabilities:
             drop:
               - "ALL"
diff --git a/controllers/syncer/csi_controller.go b/controllers/syncer/csi_controller.go
@@ -158,7 +158,12 @@ func (s *csiControllerSyncer) ensureContainersSpec() []corev1.Container {
 }
 
 func (s *csiControllerSyncer) ensureContainer(name, image string, args []string) corev1.Container {
-	sc := &corev1.SecurityContext{AllowPrivilegeEscalation: util.False()}
+	sc := &corev1.SecurityContext{
+		AllowPrivilegeEscalation: util.False(),
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+	}
 	fillSecurityContextCapabilities(sc)
 	return corev1.Container{
 		Name:  name,
diff --git a/controllers/syncer/csi_node.go b/controllers/syncer/csi_node.go
@@ -154,7 +154,11 @@ func (s *csiNodeSyncer) ensureContainersSpec() []corev1.Container {
 	)
 	registrar.SecurityContext = &corev1.SecurityContext{RunAsNonRoot: util.False(),
 		RunAsUser:  func(uid int64) *int64 { return &uid }(0),
-		Privileged: util.False()}
+		Privileged: util.False(),
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+	}
 	fillSecurityContextCapabilities(registrar.SecurityContext)
 	registrar.ImagePullPolicy = s.getCSINodeDriverRegistrarPullPolicy()
 	registrar.Resources = getSidecarResourceRequests(s.driver, constants.CSINodeDriverRegistrar)
