Use consistent security contexts in all containers

JustinKuli · openshift-merge-robot · commit 1ec8a5f6de43 · 2023-05-09T16:27:42.000-04:00
Things were slightly inconsistent, which could cause problems over different kubernetes versions, especially with recent-ish changes in k8s regarding Pod Security Admission Control. Refs: - https://issues.redhat.com/browse/ACM-5352 - https://issues.redhat.com/browse/ACM-4590 Signed-off-by: Justin Kulikauskas <jkulikau@redhat.com>
diff --git a/pkg/addon/configpolicy/manifests/managedclusterchart/templates/deployment.yaml b/pkg/addon/configpolicy/manifests/managedclusterchart/templates/deployment.yaml
@@ -51,6 +51,13 @@ spec:
         - mountPath: "/var/run/metrics-cert"
           name: metrics-cert
           readOnly: true
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
       {{- end }}
       - name: {{ .Chart.Name }}
         image: "{{ .Values.global.imageOverrides.config_policy_controller }}"
@@ -131,12 +138,6 @@ spec:
           containerPort: 8383
         {{- end }}
         resources: {{- toYaml .Values.resources | nindent 10 }}
-        allowPrivilegeEscalation: false
-        capabilities:
-          drop:
-          - ALL
-        privileged: false
-        readOnlyRootFilesystem: true
         volumeMounts:
           - name: klusterlet-config
             mountPath: /var/run/klusterlet
@@ -145,6 +146,13 @@ spec:
             name: managed-kubeconfig-secret
             readOnly: true
           {{- end }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
       volumes:
         - name: klusterlet-config
           secret:
diff --git a/pkg/addon/policyframework/manifests/managedclusterchart/templates/deployment.yaml b/pkg/addon/policyframework/manifests/managedclusterchart/templates/deployment.yaml
@@ -51,6 +51,13 @@ spec:
         - mountPath: "/var/run/metrics-cert"
           name: metrics-cert
           readOnly: true
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
       {{- end }}
       - name: governance-policy-framework-addon
         image: "{{ .Values.global.imageOverrides.governance_policy_framework_addon }}"
