FE-896 | disable privilege escalation for integration sidecar (#1993)

cmyk47 · web-flow · commit feee614fe5e7 · 2025-11-17T18:55:27.000+01:00
diff --git a/pkg/util/k8sutil/pods.go b/pkg/util/k8sutil/pods.go
@@ -783,10 +783,11 @@ func CreateDefaultContainerTemplate(image *schedulerContainerResourcesApi.Image)
 		},
 		Security: &schedulerContainerResourcesApi.Security{
 			SecurityContext: &core.SecurityContext{
-				RunAsUser:              util.NewType[int64](shared.DefaultRunAsUser),
-				RunAsGroup:             util.NewType[int64](shared.DefaultRunAsGroup),
-				RunAsNonRoot:           util.NewType(true),
-				ReadOnlyRootFilesystem: util.NewType(true),
+				RunAsUser:                util.NewType[int64](shared.DefaultRunAsUser),
+				RunAsGroup:               util.NewType[int64](shared.DefaultRunAsGroup),
+				RunAsNonRoot:             util.NewType(true),
+				ReadOnlyRootFilesystem:   util.NewType(true),
+				AllowPrivilegeEscalation: util.NewType(false),
 				Capabilities: &core.Capabilities{
 					Drop: []core.Capability{
 						"ALL",
