diff --git a/deploy/eck-operator/values.yaml b/deploy/eck-operator/values.yaml index 431b8faa648..c29813c149e 100644 --- a/deploy/eck-operator/values.yaml +++ b/deploy/eck-operator/values.yaml @@ -68,6 +68,9 @@ securityContext: - ALL readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + # nodeSelector defines the node selector for the operator pod. nodeSelector: {} diff --git a/pkg/controller/elasticsearch/securitycontext/securitycontext.go b/pkg/controller/elasticsearch/securitycontext/securitycontext.go index af90548cd7d..d583855d6ce 100644 --- a/pkg/controller/elasticsearch/securitycontext/securitycontext.go +++ b/pkg/controller/elasticsearch/securitycontext/securitycontext.go @@ -28,6 +28,9 @@ func For(ver version.Version, enableReadOnlyRootFilesystem bool) corev1.Security Privileged: ptr.To[bool](false), ReadOnlyRootFilesystem: ptr.To[bool](enableReadOnlyRootFilesystem), AllowPrivilegeEscalation: ptr.To[bool](false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, } if ver.LT(DropCapabilitiesMinStackVersion) { return sc @@ -50,6 +53,9 @@ func DefaultBeatSecurityContext(ver version.Version) *corev1.SecurityContext { Privileged: ptr.To[bool](false), ReadOnlyRootFilesystem: ptr.To[bool](true), AllowPrivilegeEscalation: ptr.To[bool](false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, } if ver.LT(RunAsNonRootMinStackVersion) { return sc diff --git a/pkg/controller/elasticsearch/securitycontext/securitycontext_test.go b/pkg/controller/elasticsearch/securitycontext/securitycontext_test.go index 1c4b82a7aff..a950513284c 100644 --- a/pkg/controller/elasticsearch/securitycontext/securitycontext_test.go +++ b/pkg/controller/elasticsearch/securitycontext/securitycontext_test.go @@ -36,6 +36,9 @@ func TestFor(t *testing.T) { Privileged: ptr.To[bool](false), ReadOnlyRootFilesystem: ptr.To[bool](false), AllowPrivilegeEscalation: ptr.To[bool](false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, }, }, { @@ -49,6 +52,9 @@ func TestFor(t *testing.T) { Privileged: ptr.To[bool](false), ReadOnlyRootFilesystem: ptr.To[bool](false), AllowPrivilegeEscalation: ptr.To[bool](false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, }, }, { @@ -62,6 +68,9 @@ func TestFor(t *testing.T) { Privileged: ptr.To[bool](false), ReadOnlyRootFilesystem: ptr.To[bool](true), AllowPrivilegeEscalation: ptr.To[bool](false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, }, }, } @@ -90,6 +99,9 @@ func TestDefaultBeatSecurityContext(t *testing.T) { Privileged: ptr.To[bool](false), ReadOnlyRootFilesystem: ptr.To[bool](true), AllowPrivilegeEscalation: ptr.To[bool](false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, }, }, { @@ -103,6 +115,9 @@ func TestDefaultBeatSecurityContext(t *testing.T) { ReadOnlyRootFilesystem: ptr.To[bool](true), RunAsNonRoot: ptr.To[bool](true), AllowPrivilegeEscalation: ptr.To[bool](false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, }, }, }