Merge "Run Divingbell containers as unprivileged"

2019-03-20 17:31:05 +00:00 · 2019-03-20 17:31:05 +00:00 · b8f2792eb6
commit b8f2792eb6
parent 3bce1c1ac2 2c80c45fe8
8 changed files with 11 additions and 13 deletions
--- a/divingbell/templates/daemonset-apparmor.yaml
+++ b/divingbell/templates/daemonset-apparmor.yaml
@ -49,7 +49,9 @@ spec:
          subPath: {{ $daemonset }}
          readOnly: true
        securityContext:
-          privileged: true
+          capabilities:
+            add:
+              - 'MAC_ADMIN'
      volumes:
      - name: rootfs-{{ $daemonset }}
        hostPath:
--- a/divingbell/templates/daemonset-apt.yaml
+++ b/divingbell/templates/daemonset-apt.yaml
@ -48,8 +48,6 @@ spec:
          mountPath: /tmp/{{ $daemonset }}.sh
          subPath: {{ $daemonset }}
          readOnly: true
-        securityContext:
-          privileged: true
      volumes:
      - name: rootfs-{{ $daemonset }}
        hostPath:
--- a/divingbell/templates/daemonset-ethtool.yaml
+++ b/divingbell/templates/daemonset-ethtool.yaml
@ -51,7 +51,9 @@ spec:
          subPath: {{ $daemonset }}
          readOnly: true
        securityContext:
-          privileged: true
+          capabilities:
+            add:
+              - 'NET_ADMIN'
      volumes:
      - name: rootfs-{{ $daemonset }}
        hostPath:
--- a/divingbell/templates/daemonset-limits.yaml
+++ b/divingbell/templates/daemonset-limits.yaml
@ -50,8 +50,6 @@ spec:
          mountPath: /tmp/{{ $daemonset }}.sh
          subPath: {{ $daemonset }}
          readOnly: true
-        securityContext:
-          privileged: true
      volumes:
      - name: rootfs-{{ $daemonset }}
        hostPath:
--- a/divingbell/templates/daemonset-mounts.yaml
+++ b/divingbell/templates/daemonset-mounts.yaml
@ -50,8 +50,6 @@ spec:
          mountPath: /tmp/{{ $daemonset }}.sh
          subPath: {{ $daemonset }}
          readOnly: true
-        securityContext:
-          privileged: true
      volumes:
      - name: rootfs-{{ $daemonset }}
        hostPath:
--- a/divingbell/templates/daemonset-perm.yaml
+++ b/divingbell/templates/daemonset-perm.yaml
@ -50,8 +50,6 @@ spec:
          mountPath: /tmp/{{ $daemonset }}.sh
          subPath: {{ $daemonset }}
          readOnly: true
-        securityContext:
-          privileged: true
      volumes:
      - name: rootfs-{{ $daemonset }}
        hostPath:
--- a/divingbell/templates/daemonset-sysctl.yaml
+++ b/divingbell/templates/daemonset-sysctl.yaml
@ -51,7 +51,11 @@ spec:
          subPath: {{ $daemonset }}
          readOnly: true
        securityContext:
-          privileged: true
+          capabilities:
+            add:
+              - 'SYS_PTRACE'
+              - 'SYS_ADMIN'
+              - 'SYS_RAWIO'
      volumes:
      - name: rootfs-{{ $daemonset }}
        hostPath:
--- a/divingbell/templates/daemonset-uamlite.yaml
+++ b/divingbell/templates/daemonset-uamlite.yaml
@ -50,8 +50,6 @@ spec:
          mountPath: /tmp/{{ $daemonset }}.sh
          subPath: {{ $daemonset }}
          readOnly: true
-        securityContext:
-          privileged: true
      volumes:
      - name: rootfs-{{ $daemonset }}
        hostPath: