Commit 83143187 authored by Enrico Bocchi's avatar Enrico Bocchi
Browse files

Avoid privileged continers and disable privileges escalation

parent 8e6dc039
Pipeline #3754647 passed with stage
in 54 seconds
......@@ -71,10 +71,11 @@ spec:
- configMapRef:
name: {{ include "fst.fullname" . }}-cfgmap-sysconfig-eos
securityContext:
privileged: true
allowPrivilegeEscalation: true
privileged: false
allowPrivilegeEscalation: false
capabilities:
add: ["SYS_PTRACE"]
add:
- SYS_PTRACE
command: ["/bin/bash", "/root/fst_init.sh"]
volumeMounts:
- name: fst-cfgmap-xrd-cf-fst
......@@ -105,10 +106,11 @@ spec:
- configMapRef:
name: {{ include "fst.fullname" . }}-cfgmap-sysconfig-eos
securityContext:
privileged: true
allowPrivilegeEscalation: true
privileged: false
allowPrivilegeEscalation: false
capabilities:
add: ["SYS_PTRACE"]
add:
- SYS_PTRACE
{{- include "fst.livenessProbe" . | nindent 10 }}
volumeMounts:
- name: fst-cfgmap-xrd-cf-fst
......
......@@ -77,10 +77,11 @@ spec:
- configMapRef:
name: {{ include "mgm.fullname" . }}-cfgmap-sysconfig-eos
securityContext:
privileged: true
allowPrivilegeEscalation: true
privileged: false
allowPrivilegeEscalation: false
capabilities:
add: ["SYS_PTRACE"]
add:
- SYS_PTRACE
command: ["/bin/bash", "/root/mgm_init.sh"]
volumeMounts:
- name: mgm-cfgmap-xrd-cf-mgm
......@@ -117,10 +118,11 @@ spec:
- configMapRef:
name: {{ include "mgm.fullname" . }}-cfgmap-sysconfig-eos
securityContext:
privileged: true
allowPrivilegeEscalation: true
privileged: false
allowPrivilegeEscalation: false
capabilities:
add: ["SYS_PTRACE"]
add:
- SYS_PTRACE
{{- include "mgm.startupProbe" . | nindent 10 }}
{{- include "mgm.livenessProbe" . | nindent 10 }}
{{- include "mgm.readinessProbe" . | nindent 10 }}
......@@ -158,10 +160,11 @@ spec:
- configMapRef:
name: {{ include "mq.fullname" . }}-cfgmap-sysconfig-eos
securityContext:
privileged: true
allowPrivilegeEscalation: true
privileged: false
allowPrivilegeEscalation: false
capabilities:
add: ["SYS_PTRACE"]
add:
- SYS_PTRACE
{{- include "mq.livenessProbe" . | nindent 10 }}
volumeMounts:
- name: mq-cfgmap-xrd-cf-mq
......
......@@ -77,10 +77,11 @@ spec:
- configMapRef:
name: {{ include "mq.fullname" . }}-cfgmap-sysconfig-eos
securityContext:
privileged: true
allowPrivilegeEscalation: true
privileged: false
allowPrivilegeEscalation: false
capabilities:
add: ["SYS_PTRACE"]
add:
- SYS_PTRACE
{{- include "mq.livenessProbe" . | nindent 10 }}
volumeMounts:
- name: mq-cfgmap-xrd-cf-mq
......
......@@ -80,10 +80,11 @@ spec:
- name: LD_PRELOAD
value: "/usr/lib64/libjemalloc.so.1"
securityContext:
privileged: true
allowPrivilegeEscalation: true
privileged: false
allowPrivilegeEscalation: false
capabilities:
add: ["SYS_PTRACE"]
add:
- SYS_PTRACE
{{- include "qdb.livenessProbe" . | nindent 10 }}
{{- include "qdb.readinessProbe" . | nindent 10 }}
volumeMounts:
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment