apply Restricted Pod Security Standard on sidecar container

GoogleCloudPlatform · Aug 10, 2023 · 6a0bdba · 6a0bdba
1 parent 4f29a54
commit 6a0bdba
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/pkg/webhook/sidecar_spec.go b/pkg/webhook/sidecar_spec.go
@@ -35,6 +35,8 @@ const (
 )
 
 func GetSidecarContainerSpec(c *Config) v1.Container {
+	// The sidecar container follows Restricted Pod Security Standard,
+	// see https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
 	return v1.Container{
 		Name:            SidecarContainerName,
 		Image:           c.ContainerImage,
@@ -44,7 +46,7 @@ func GetSidecarContainerSpec(c *Config) v1.Container {
 			ReadOnlyRootFilesystem:   pointer.Bool(true),
 			Capabilities: &v1.Capabilities{
 				Drop: []v1.Capability{
-					v1.Capability("all"),
+					v1.Capability("ALL"),
 				},
 			},
 			SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault},