Enable seccomp on containers (CrunchyData#122)

As of Kubernetes v1.19, SecurityContext has a seccompProfile field that can be set to RuntimeDefault to limit syscalls. This PR adds that setting to the PGO containers. Issue [sc-11286]
hiepnguyen1101 · Jun 6, 2022 · f8a0eb4 · f8a0eb4
1 parent 6e91c1d
commit f8a0eb4
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 0 deletions.
diff --git a/helm/install/templates/manager-upgrade.yaml b/helm/install/templates/manager-upgrade.yaml
@@ -38,3 +38,5 @@ spec:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
           runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
diff --git a/helm/install/templates/manager.yaml b/helm/install/templates/manager.yaml
@@ -44,3 +44,5 @@ spec:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
           runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
diff --git a/kustomize/install/manager/manager-upgrade.yaml b/kustomize/install/manager/manager-upgrade.yaml
@@ -32,4 +32,6 @@ spec:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
           runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
       serviceAccountName: postgres-operator-upgrade
diff --git a/kustomize/install/manager/manager.yaml b/kustomize/install/manager/manager.yaml
@@ -46,4 +46,6 @@ spec:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
           runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
       serviceAccountName: pgo