Update Ansible sample to comply with Pod Security Standards (#5853)

camilamacedo86 · web-flow · commit 584ada8a1086 · 2022-06-13T21:22:26.000+01:00
* 🌱 update Ansible sample to show how the Pods/Containers should be configured as restrictive

* fix nit format
diff --git a/hack/generate/samples/internal/ansible/constants.go b/hack/generate/samples/internal/ansible/constants.go
@@ -26,6 +26,10 @@ const roleFragment = `
         labels:
           app: memcached
       spec:
+        securityContext:
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         replicas: "{{size}}"
         selector:
           matchLabels:
@@ -37,6 +41,11 @@ const roleFragment = `
           spec:
             containers:
             - name: memcached
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - "ALL"
               command:
               - memcached
               - -m=64
diff --git a/testdata/ansible/memcached-operator/roles/memcached/tasks/main.yml b/testdata/ansible/memcached-operator/roles/memcached/tasks/main.yml
@@ -11,6 +11,10 @@
         labels:
           app: memcached
       spec:
+        securityContext:
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         replicas: "{{size}}"
         selector:
           matchLabels:
@@ -22,6 +26,11 @@
           spec:
             containers:
             - name: memcached
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - "ALL"
               command:
               - memcached
               - -m=64
