Skip to content

Commit

Permalink
✨ leave the pod.spec.containers[0].capabilities.DROP.All
Browse files Browse the repository at this point in the history
  • Loading branch information
Camila Macedo committed Jun 23, 2022
1 parent 175713e commit 1246760
Show file tree
Hide file tree
Showing 15 changed files with 42 additions and 77 deletions.
7 changes: 3 additions & 4 deletions ...mon/kustomize/v1/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go
View file
Expand Up @@ -57,10 +57,9 @@ spec:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
7 changes: 3 additions & 4 deletions pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/manager/config.go
View file
Expand Up @@ -90,10 +90,9 @@ spec:
name: manager
securityContext:
allowPrivilegeEscalation: false
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
capabilities:
drop:
- "ALL"
livenessProbe:
httpGet:
path: /healthz
Expand Down
7 changes: 3 additions & 4 deletions ...mon/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go
View file
Expand Up @@ -57,10 +57,9 @@ spec:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
7 changes: 3 additions & 4 deletions pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/manager/config.go
View file
Expand Up @@ -90,10 +90,9 @@ spec:
name: manager
securityContext:
allowPrivilegeEscalation: false
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
capabilities:
drop:
- "ALL"
livenessProbe:
httpGet:
path: /healthz
Expand Down
21 changes: 0 additions & 21 deletions test/e2e/v3/generate_test.go
View file
Expand Up @@ -237,27 +237,6 @@ Count int `+"`"+`json:"count,omitempty"`+"`"+`

func uncommentPodStandards(kbc *utils.TestContext) {
configManager := filepath.Join(kbc.Dir, "config", "manager", "manager.yaml")
managerAuth := filepath.Join(kbc.Dir, "config", "default", "manager_auth_proxy_patch.yaml")

//nolint:lll
if err := pluginutil.ReplaceInFile(configManager, `# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"`, ` capabilities:
drop:
- "ALL"`); err != nil {
ExpectWithOffset(1, err).NotTo(HaveOccurred())
}

//nolint:lll
if err := pluginutil.ReplaceInFile(managerAuth, `# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"`, ` capabilities:
drop:
- "ALL"`); err != nil {
ExpectWithOffset(1, err).NotTo(HaveOccurred())
}

//nolint:lll
if err := pluginutil.ReplaceInFile(configManager, `# TODO(user): For common cases that do not require escalating privileges
Expand Down
7 changes: 3 additions & 4 deletions testdata/project-v3-addon/config/default/manager_auth_proxy_patch.yaml
View file
Expand Up @@ -12,10 +12,9 @@ spec:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
7 changes: 3 additions & 4 deletions testdata/project-v3-addon/config/manager/manager.yaml
View file
Expand Up @@ -42,10 +42,9 @@ spec:
name: manager
securityContext:
allowPrivilegeEscalation: false
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
capabilities:
drop:
- "ALL"
livenessProbe:
httpGet:
path: /healthz
Expand Down
7 changes: 3 additions & 4 deletions testdata/project-v3-config/config/default/manager_auth_proxy_patch.yaml
View file
Expand Up @@ -12,10 +12,9 @@ spec:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
7 changes: 3 additions & 4 deletions testdata/project-v3-config/config/manager/manager.yaml
View file
Expand Up @@ -40,10 +40,9 @@ spec:
name: manager
securityContext:
allowPrivilegeEscalation: false
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
capabilities:
drop:
- "ALL"
livenessProbe:
httpGet:
path: /healthz
Expand Down
7 changes: 3 additions & 4 deletions testdata/project-v3-multigroup/config/default/manager_auth_proxy_patch.yaml
View file
Expand Up @@ -12,10 +12,9 @@ spec:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
7 changes: 3 additions & 4 deletions testdata/project-v3-multigroup/config/manager/manager.yaml
View file
Expand Up @@ -42,10 +42,9 @@ spec:
name: manager
securityContext:
allowPrivilegeEscalation: false
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
capabilities:
drop:
- "ALL"
livenessProbe:
httpGet:
path: /healthz
Expand Down
7 changes: 3 additions & 4 deletions testdata/project-v3-with-kustomize-v2/config/default/manager_auth_proxy_patch.yaml
View file
Expand Up @@ -12,10 +12,9 @@ spec:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
7 changes: 3 additions & 4 deletions testdata/project-v3-with-kustomize-v2/config/manager/manager.yaml
View file
Expand Up @@ -42,10 +42,9 @@ spec:
name: manager
securityContext:
allowPrivilegeEscalation: false
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
capabilities:
drop:
- "ALL"
livenessProbe:
httpGet:
path: /healthz
Expand Down
7 changes: 3 additions & 4 deletions testdata/project-v3/config/default/manager_auth_proxy_patch.yaml
View file
Expand Up @@ -12,10 +12,9 @@ spec:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
7 changes: 3 additions & 4 deletions testdata/project-v3/config/manager/manager.yaml
View file
Expand Up @@ -42,10 +42,9 @@ spec:
name: manager
securityContext:
allowPrivilegeEscalation: false
# TODO(user): uncomment for common cases that do not require escalating privileges
# capabilities:
# drop:
# - "ALL"
capabilities:
drop:
- "ALL"
livenessProbe:
httpGet:
path: /healthz
Expand Down

0 comments on commit 1246760

Please sign in to comment.