From 88da63b684f439a469c52e35f7336506f3447c81 Mon Sep 17 00:00:00 2001 From: Ramon Perez Date: Wed, 23 Oct 2024 20:12:52 +0200 Subject: [PATCH] Update securityContext fields of testing pods --- .../roles/loadbalancer/templates/deployment.yml | 1 + testpmd-operator/roles/testpmd/templates/deployment.yml | 4 ++++ trex-operator/roles/app/templates/job.yml | 5 +++++ trex-operator/roles/server/templates/deployment.yml | 7 +++++++ 4 files changed, 17 insertions(+) diff --git a/testpmd-lb-operator/roles/loadbalancer/templates/deployment.yml b/testpmd-lb-operator/roles/loadbalancer/templates/deployment.yml index 0b7eecf5..4323d76e 100644 --- a/testpmd-lb-operator/roles/loadbalancer/templates/deployment.yml +++ b/testpmd-lb-operator/roles/loadbalancer/templates/deployment.yml @@ -78,6 +78,7 @@ spec: image: "{{ image_testpmd }}" imagePullPolicy: "{{ image_pull_policy }}" securityContext: + readOnlyRootFilesystem: true {% if privileged %} privileged: true {% else %} diff --git a/testpmd-operator/roles/testpmd/templates/deployment.yml b/testpmd-operator/roles/testpmd/templates/deployment.yml index 89c6dc7f..00653844 100644 --- a/testpmd-operator/roles/testpmd/templates/deployment.yml +++ b/testpmd-operator/roles/testpmd/templates/deployment.yml @@ -46,6 +46,8 @@ spec: values: - lb-app topologyKey: kubernetes.io/hostname + securityContext: + runAsNonRoot: true serviceAccountName: testpmd-account {% if runtime_class_name is defined and runtime_class_name | length %} runtimeClassName: "{{ runtime_class_name }}" @@ -61,6 +63,8 @@ spec: image: "{{ image_testpmd }}" imagePullPolicy: "{{ image_pull_policy }}" securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true {% if privileged %} privileged: true {% else %} diff --git a/trex-operator/roles/app/templates/job.yml b/trex-operator/roles/app/templates/job.yml index 96f439f0..c070a500 100644 --- a/trex-operator/roles/app/templates/job.yml +++ b/trex-operator/roles/app/templates/job.yml @@ -16,6 +16,8 @@ spec: {% endif %} spec: restartPolicy: Never + securityContext: + runAsNonRoot: true serviceAccountName: trex-app-account {% if runtime_class_name is defined and runtime_class_name | length %} runtimeClassName: "{{ runtime_class_name }}" @@ -24,6 +26,9 @@ spec: - name: trex-app image: "{{ image_app }}" imagePullPolicy: "{{ image_pull_policy }}" + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true volumeMounts: - name: varlog mountPath: /var/log diff --git a/trex-operator/roles/server/templates/deployment.yml b/trex-operator/roles/server/templates/deployment.yml index c3c226dc..2f2bf530 100644 --- a/trex-operator/roles/server/templates/deployment.yml +++ b/trex-operator/roles/server/templates/deployment.yml @@ -58,6 +58,8 @@ spec: - cnf-app {% endif %} topologyKey: kubernetes.io/hostname + securityContext: + runAsNonRoot: true serviceAccountName: trex-server-account {% if runtime_class_name is defined and runtime_class_name | length %} runtimeClassName: "{{ runtime_class_name }}" @@ -79,6 +81,8 @@ spec: - name: "http-probe" containerPort: 8096 securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true {% if privileged %} privileged: true {% else %} @@ -151,6 +155,9 @@ spec: - name: trex-app image: "{{ image_app }}" imagePullPolicy: "{{ image_pull_policy }}" + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true resources: limits: memory: "756Mi"