From a7e98e1d264fc27bcc3df07e1cb694efb55649a8 Mon Sep 17 00:00:00 2001
From: Isaiah Raya <isaiahraya@microsoft.com>
Date: Wed, 21 Feb 2024 00:46:24 +0000
Subject: [PATCH] Resolved NPM vulnerability Do not use privileged containers
 and  Mount container's root filesystem as read only

---
 npm/azure-npm.yaml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/npm/azure-npm.yaml b/npm/azure-npm.yaml
index cdc6c8237f..80a7a1a0f7 100644
--- a/npm/azure-npm.yaml
+++ b/npm/azure-npm.yaml
@@ -87,7 +87,11 @@ spec:
             requests:
               cpu: 250m
           securityContext:
-            privileged: true
+            privileged: false
+            capabilities:
+              add:
+              - NET_ADMIN
+            readOnlyRootFilesystem: true
           env:
             - name: HOSTNAME
               valueFrom:
@@ -105,6 +109,8 @@ spec:
               mountPath: /etc/protocols
             - name: azure-npm-config
               mountPath: /etc/azure-npm
+            - name: tmp
+              mountPath: /tmp
       hostNetwork: true
       hostUsers: false
       nodeSelector:
@@ -125,6 +131,8 @@ spec:
         - name: azure-npm-config
           configMap:
             name: azure-npm-config
+        - name: tmp
+          emptyDir: {}
       serviceAccountName: azure-npm
 ---
 apiVersion: v1