Merge pull request #83 from s-urbaniak/patch-3

manifests/deployment: comply to restricted pod security level

manifests/07_deployment-ibm-cloud-managed.yaml

@@ -49,6 +49,10 @@ spec:
             cpu: 10m
             memory: 50Mi
         securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
           runAsUser: 1001
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
@@ -57,6 +61,10 @@ spec:
         - mountPath: /var/run/secrets/serving-cert
           name: serving-cert
       priorityClassName: system-cluster-critical
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: kube-storage-version-migrator-operator
       tolerations:
       - effect: NoSchedule

manifests/07_deployment.yaml

@@ -39,6 +39,10 @@ spec:
             memory: 50Mi
             cpu: 10m
         securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
           runAsUser: 1001
         volumeMounts:
           - mountPath: /var/run/configmaps/config
@@ -65,6 +69,10 @@ spec:
       nodeSelector:
         node-role.kubernetes.io/master: ""
       priorityClassName: "system-cluster-critical"
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       tolerations:
       - key: "node-role.kubernetes.io/master"
         operator: "Exists"