Update securityContext fields of testing pods

openshift-kni · Oct 24, 2024 · 146e21f · 146e21f
1 parent aeac852
commit 146e21f
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 0 deletions.
diff --git a/testpmd-lb-operator/roles/loadbalancer/templates/deployment.yml b/testpmd-lb-operator/roles/loadbalancer/templates/deployment.yml
@@ -45,6 +45,8 @@ spec:
                 - cnf-app
                 - pkt-gen
             topologyKey: kubernetes.io/hostname
+      securityContext:
+        runAsNonRoot: true
       serviceAccountName: loadbalancer-account
 {% if runtime_class_name is defined and runtime_class_name|length %}
       runtimeClassName: "{{ runtime_class_name }}"
@@ -78,6 +80,7 @@ spec:
         image: "{{ image_testpmd }}"
         imagePullPolicy: "{{ image_pull_policy }}"
         securityContext:
+          readOnlyRootFilesystem: true
 {% if privileged %}
           privileged: true
 {% else %}

diff --git a/testpmd-operator/roles/testpmd/templates/deployment.yml b/testpmd-operator/roles/testpmd/templates/deployment.yml
@@ -46,6 +46,8 @@ spec:
                 values:
                 - lb-app
             topologyKey: kubernetes.io/hostname
+      securityContext:
+        runAsNonRoot: true
       serviceAccountName: testpmd-account
 {% if runtime_class_name is defined and runtime_class_name | length %}
       runtimeClassName: "{{ runtime_class_name }}"
@@ -61,6 +63,8 @@ spec:
         image: "{{ image_testpmd }}"
         imagePullPolicy: "{{ image_pull_policy }}"
         securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
 {% if privileged %}
           privileged: true
 {% else %}

diff --git a/trex-operator/roles/app/templates/job.yml b/trex-operator/roles/app/templates/job.yml
@@ -16,6 +16,8 @@ spec:
 {% endif %}
     spec:
       restartPolicy: Never
+      securityContext:
+        runAsNonRoot: true
       serviceAccountName: trex-app-account
 {% if runtime_class_name is defined and runtime_class_name | length %}
       runtimeClassName: "{{ runtime_class_name }}"
@@ -24,6 +26,9 @@ spec:
       - name: trex-app
         image: "{{ image_app }}"
         imagePullPolicy: "{{ image_pull_policy }}"
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
         volumeMounts:
         - name: varlog
           mountPath: /var/log

diff --git a/trex-operator/roles/server/templates/deployment.yml b/trex-operator/roles/server/templates/deployment.yml
@@ -58,6 +58,8 @@ spec:
                 - cnf-app
 {% endif %}
             topologyKey: kubernetes.io/hostname
+      securityContext:
+        runAsNonRoot: true
       serviceAccountName: trex-server-account
 {% if runtime_class_name is defined and runtime_class_name | length %}
       runtimeClassName: "{{ runtime_class_name }}"
@@ -79,6 +81,8 @@ spec:
         - name: "http-probe"
           containerPort: 8096
         securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
 {% if privileged %}
           privileged: true
 {% else %}
@@ -151,6 +155,9 @@ spec:
       - name: trex-app
         image: "{{ image_app }}"
         imagePullPolicy: "{{ image_pull_policy }}"
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
         resources:
           limits:
             memory: "756Mi"