From faecc3e9810163ea2e633085659f3d94958d54d7 Mon Sep 17 00:00:00 2001
From: nikita-bhatia <107468860+nikita-bhatia@users.noreply.github.com>
Date: Fri, 14 Jul 2023 01:29:08 +0530
Subject: [PATCH] PWX-32294 : Reconfigure SCC templates (#1132)

* PWX-32294 : Reconfigure SCC templates

* set AllowPrivilegeEscalation to false for portworx-restricted scc
---
 .../portworx/component/securitycontextconstraints.go   | 10 +++++-----
 drivers/storage/portworx/testspec/portworxSCC.yaml     |  8 ++++----
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/drivers/storage/portworx/component/securitycontextconstraints.go b/drivers/storage/portworx/component/securitycontextconstraints.go
index b01735227d..0b8a2e2d57 100644
--- a/drivers/storage/portworx/component/securitycontextconstraints.go
+++ b/drivers/storage/portworx/component/securitycontextconstraints.go
@@ -191,11 +191,11 @@ func (s *scc) getSCCs(cluster *opcorev1.StorageCluster) []ocp_secv1.SecurityCont
 				Name: PxSCCName,
 			},
 			AllowHostDirVolumePlugin: true,
-			AllowHostIPC:             true,
+			AllowHostIPC:             false,
 			AllowHostNetwork:         true,
-			AllowHostPID:             true,
-			AllowHostPorts:           true,
-			AllowPrivilegeEscalation: boolPtr(true),
+			AllowHostPID:             false,
+			AllowHostPorts:           false,
+			AllowPrivilegeEscalation: boolPtr(false),
 			AllowPrivilegedContainer: true,
 			AllowedUnsafeSysctls:     []string{"*"},
 			AllowedCapabilities: []corev1.Capability{
@@ -236,7 +236,7 @@ func (s *scc) getSCCs(cluster *opcorev1.StorageCluster) []ocp_secv1.SecurityCont
 			AllowHostNetwork:         true,
 			AllowHostPID:             false,
 			AllowHostPorts:           false,
-			AllowPrivilegeEscalation: boolPtr(true),
+			AllowPrivilegeEscalation: boolPtr(false),
 			AllowPrivilegedContainer: false,
 			FSGroup: ocp_secv1.FSGroupStrategyOptions{
 				Type: ocp_secv1.FSGroupStrategyMustRunAs,
diff --git a/drivers/storage/portworx/testspec/portworxSCC.yaml b/drivers/storage/portworx/testspec/portworxSCC.yaml
index 4df67cf583..eb839f759d 100644
--- a/drivers/storage/portworx/testspec/portworxSCC.yaml
+++ b/drivers/storage/portworx/testspec/portworxSCC.yaml
@@ -1,9 +1,9 @@
 allowHostDirVolumePlugin: true
-allowHostIPC: true
+allowHostIPC: false
 allowHostNetwork: true
-allowHostPID: true
-allowHostPorts: true
-allowPrivilegeEscalation: true
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
 allowPrivilegedContainer: true
 allowedCapabilities:
 - '*'