/
securitycontext.go
41 lines (35 loc) · 1.02 KB
/
securitycontext.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
package manifests
import (
"github.com/ViaQ/logerr/v2/kverrors"
"github.com/imdario/mergo"
corev1 "k8s.io/api/core/v1"
"k8s.io/utils/ptr"
)
func configurePodSpecForRestrictedStandard(podSpec *corev1.PodSpec) error {
podSecurityContext := corev1.PodSpec{
SecurityContext: &corev1.PodSecurityContext{
RunAsNonRoot: ptr.To(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
}
containerSecurityContext := corev1.Container{
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
},
}
for i, container := range podSpec.Containers {
if err := mergo.Merge(&container, containerSecurityContext, mergo.WithOverride); err != nil {
return err
}
podSpec.Containers[i] = container
}
if err := mergo.Merge(podSpec, podSecurityContext, mergo.WithOverride); err != nil {
return kverrors.Wrap(err, "failed to merge pod security context")
}
return nil
}