Skip to content

Commit

Permalink
Merge pull request #298 from glazychev-art/fix_security_context
Browse files Browse the repository at this point in the history 
[qfix] Remove unconditional SecurityContext
  • Loading branch information
@denis-tingaikin
denis-tingaikin authored Jun 26, 2023
2 parents c3e6866 + ca4e2ed commit 8ffb3be
Showing 1 changed file with 2 additions and 8 deletions.
10 changes: 2 additions & 8 deletions main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -298,7 +298,6 @@ func parseResources(v string, logger *zap.SugaredLogger) map[string]int {

func (s *admissionWebhookServer) createInitContainerPatch(p, v string, initContainers []corev1.Container, psaLevel psa.Level, envVars ...corev1.EnvVar) jsonpatch.JsonPatchOperation {
poolResources := parseResources(v, s.logger)
allowPrivilegeEscalation := false
for _, img := range s.config.InitContainerImages {
initContainers = append(initContainers, corev1.Container{
Name: nameOf(img),
Expand All @@ -311,6 +310,7 @@ func (s *admissionWebhookServer) createInitContainerPatch(p, v string, initConta

// SecurityContext is required by the k8s restricted policy
if psaLevel == psa.LevelRestricted {
allowPrivilegeEscalation := false
initContainers[len(initContainers)-1].SecurityContext = &corev1.SecurityContext{
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
Expand All @@ -324,23 +324,17 @@ func (s *admissionWebhookServer) createInitContainerPatch(p, v string, initConta

func (s *admissionWebhookServer) createContainerPatch(p string, containers []corev1.Container, psaLevel psa.Level, envVars ...corev1.EnvVar) jsonpatch.JsonPatchOperation {
for _, img := range s.config.ContainerImages {
allowPrivilegeEscalation := false
containers = append(containers, corev1.Container{
Name: nameOf(img),
Env: envVars,
Image: img,
ImagePullPolicy: corev1.PullIfNotPresent,
SecurityContext: &corev1.SecurityContext{
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
},
})
s.addVolumeMounts(&containers[len(containers)-1])

// SecurityContext is required by the k8s restricted policy
if psaLevel == psa.LevelRestricted {
allowPrivilegeEscalation := false
containers[len(containers)-1].SecurityContext = &corev1.SecurityContext{
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
Expand Down

0 comments on commit 8ffb3be

Please sign in to comment.