feat: Set security context for Polaris (#360)

aquasecurity · Jan 25, 2021 · 9f94deb · 9f94deb
1 parent ab281e4
commit 9f94deb
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 0 deletions.
diff --git a/pkg/polaris/plugin.go b/pkg/polaris/plugin.go
@@ -93,6 +93,21 @@ func (p *plugin) GetScanJobSpec(workload kube.Object, gvk schema.GroupVersionKin
 					"--config", "/etc/starboard/polaris.config.yaml",
 					"--resource", sourceName,
 				},
+				SecurityContext: &corev1.SecurityContext{
+					Privileged:               pointer.BoolPtr(false),
+					AllowPrivilegeEscalation: pointer.BoolPtr(false),
+					Capabilities: &corev1.Capabilities{
+						Drop: []corev1.Capability{"all"},
+					},
+					ReadOnlyRootFilesystem: pointer.BoolPtr(true),
+				},
+			},
+		},
+		SecurityContext: &corev1.PodSecurityContext{
+			RunAsUser:  pointer.Int64Ptr(1000),
+			RunAsGroup: pointer.Int64Ptr(1000),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: corev1.SeccompProfileTypeRuntimeDefault,
 			},
 		},
 	}, nil

diff --git a/pkg/polaris/plugin_test.go b/pkg/polaris/plugin_test.go
@@ -95,6 +95,21 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 							"--config", "/etc/starboard/polaris.config.yaml",
 							"--resource", "default/Deployment.apps/v1/nginx",
 						},
+						SecurityContext: &corev1.SecurityContext{
+							Privileged:               pointer.BoolPtr(false),
+							AllowPrivilegeEscalation: pointer.BoolPtr(false),
+							Capabilities: &corev1.Capabilities{
+								Drop: []corev1.Capability{"all"},
+							},
+							ReadOnlyRootFilesystem: pointer.BoolPtr(true),
+						},
+					},
+				},
+				SecurityContext: &corev1.PodSecurityContext{
+					RunAsUser:  pointer.Int64Ptr(1000),
+					RunAsGroup: pointer.Int64Ptr(1000),
+					SeccompProfile: &corev1.SeccompProfile{
+						Type: corev1.SeccompProfileTypeRuntimeDefault,
 					},
 				},
 			},