:sparkling: adding comment one the scaffolds to warn users about the …

…seccomp spec field usage
kubernetes-sigs · Jun 13, 2022 · f942dc8 · f942dc8
1 parent eea565c
commit f942dc8
Show file tree

Hide file tree

Showing 8 changed files with 56 additions and 12 deletions.
diff --git a/pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/manager/config.go b/pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/manager/config.go
@@ -72,8 +72,14 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
+        # TODO(user): For common cases that do not require escalating privileges
+        # it is recommended to ensure that all your Pods/Containers are restrictive.
+        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted    
+        # Please uncomment the following code if you are NOT looking 
+        # for to built projects which must work on old Kubernetes versions < 1.19 or 
+        # on vendors versions which are NOT supporting this field by default (i.e. Openshift < 4.11 ).
+        # seccompProfile:
+        #   type: RuntimeDefault
       containers:
       - command:
         - /manager

diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/manager/config.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/manager/config.go
@@ -72,6 +72,10 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+        # Note: Do no use the seccompProfile if you are looking for
+        # to support old Kubernetes versions < 1.19 or distribute 
+        # your solutions on vendors versions which are not supporting
+        # it like Openshift versions < 4.11.
         seccompProfile:
           type: RuntimeDefault
       containers:

diff --git a/testdata/project-v3-addon/config/manager/manager.yaml b/testdata/project-v3-addon/config/manager/manager.yaml
@@ -26,8 +26,14 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
+        # TODO(user): For common cases that do not require escalating privileges
+        # it is recommended to ensure that all your Pods/Containers are restrictive.
+        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted    
+        # Please uncomment the following code if you are NOT looking 
+        # for to built projects which must work on old Kubernetes versions < 1.19 or 
+        # on vendors versions which are NOT supporting this field by default (i.e. Openshift < 4.11 ).
+        # seccompProfile:
+        #   type: RuntimeDefault
       containers:
       - command:
         - /manager

diff --git a/testdata/project-v3-config/config/manager/manager.yaml b/testdata/project-v3-config/config/manager/manager.yaml
@@ -26,8 +26,14 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
+        # TODO(user): For common cases that do not require escalating privileges
+        # it is recommended to ensure that all your Pods/Containers are restrictive.
+        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted    
+        # Please uncomment the following code if you are NOT looking 
+        # for to built projects which must work on old Kubernetes versions < 1.19 or 
+        # on vendors versions which are NOT supporting this field by default (i.e. Openshift < 4.11 ).
+        # seccompProfile:
+        #   type: RuntimeDefault
       containers:
       - command:
         - /manager

diff --git a/testdata/project-v3-multigroup/config/manager/manager.yaml b/testdata/project-v3-multigroup/config/manager/manager.yaml
@@ -26,8 +26,14 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
+        # TODO(user): For common cases that do not require escalating privileges
+        # it is recommended to ensure that all your Pods/Containers are restrictive.
+        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted    
+        # Please uncomment the following code if you are NOT looking 
+        # for to built projects which must work on old Kubernetes versions < 1.19 or 
+        # on vendors versions which are NOT supporting this field by default (i.e. Openshift < 4.11 ).
+        # seccompProfile:
+        #   type: RuntimeDefault
       containers:
       - command:
         - /manager

diff --git a/testdata/project-v3-v1beta1/config/manager/manager.yaml b/testdata/project-v3-v1beta1/config/manager/manager.yaml
@@ -26,8 +26,14 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
+        # TODO(user): For common cases that do not require escalating privileges
+        # it is recommended to ensure that all your Pods/Containers are restrictive.
+        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted    
+        # Please uncomment the following code if you are NOT looking 
+        # for to built projects which must work on old Kubernetes versions < 1.19 or 
+        # on vendors versions which are NOT supporting this field by default (i.e. Openshift < 4.11 ).
+        # seccompProfile:
+        #   type: RuntimeDefault
       containers:
       - command:
         - /manager

diff --git a/testdata/project-v3-with-kustomize-v2/config/manager/manager.yaml b/testdata/project-v3-with-kustomize-v2/config/manager/manager.yaml
@@ -26,6 +26,10 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+        # Note: Do no use the seccompProfile if you are looking for
+        # to support old Kubernetes versions < 1.19 or distribute 
+        # your solutions on vendors versions which are not supporting
+        # it like Openshift versions < 4.11.
         seccompProfile:
           type: RuntimeDefault
       containers:

diff --git a/testdata/project-v3/config/manager/manager.yaml b/testdata/project-v3/config/manager/manager.yaml
@@ -26,8 +26,14 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
+        # TODO(user): For common cases that do not require escalating privileges
+        # it is recommended to ensure that all your Pods/Containers are restrictive.
+        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted    
+        # Please uncomment the following code if you are NOT looking 
+        # for to built projects which must work on old Kubernetes versions < 1.19 or 
+        # on vendors versions which are NOT supporting this field by default (i.e. Openshift < 4.11 ).
+        # seccompProfile:
+        #   type: RuntimeDefault
       containers:
       - command:
         - /manager