feat: set security capabilities for azwi-proxy

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
Azure · Apr 12, 2023 · aace9aa · aace9aa
1 parent 6cea9db
commit aace9aa
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go
@@ -251,6 +251,15 @@ func (m *podMutator) injectProxySidecarContainer(containers []corev1.Container,
 				},
 			},
 		},
+		SecurityContext: &corev1.SecurityContext{
+			AllowPrivilegeEscalation: pointer.Bool(false),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
+			Privileged:             pointer.Bool(false),
+			ReadOnlyRootFilesystem: pointer.Bool(true),
+			RunAsNonRoot:           pointer.Bool(true),
+		},
 	})
 
 	return containers

diff --git a/pkg/webhook/webhook_test.go b/pkg/webhook/webhook_test.go
@@ -1092,6 +1092,15 @@ func TestInjectProxySidecarContainer(t *testing.T) {
 				},
 			},
 		},
+		SecurityContext: &corev1.SecurityContext{
+			AllowPrivilegeEscalation: pointer.Bool(false),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
+			Privileged:             pointer.Bool(false),
+			ReadOnlyRootFilesystem: pointer.Bool(true),
+			RunAsNonRoot:           pointer.Bool(true),
+		},
 	}
 
 	tests := []struct {