Skip to content

Commit 6be54e3

Browse files
synaretemergify[bot]
synarete
authored and
mergify[bot]
committed
resources: set SecurityContext for privileged containers
Define explicit SecurityContext entry for containers which require privileged capabilities. Required when running over OpenShift cluster. Signed-off-by: Shachar Sharon <[email protected]>
1 parent 2c5a5ba commit 6be54e3

File tree

1 file changed

+10
-0
lines changed

1 file changed

+10
-0
lines changed

internal/resources/pods.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -482,6 +482,7 @@ func buildSmbdCtr(
482482
},
483483
},
484484
},
485+
SecurityContext: ctrPrivSecurityContext(),
485486
}
486487
}
487488

@@ -589,6 +590,7 @@ func buildSvcWatchCtr(
589590
Name: "svc-watch",
590591
Env: env,
591592
VolumeMounts: mounts,
593+
SecurityContext: ctrPrivSecurityContext(),
592594
}
593595
}
594596

@@ -621,6 +623,7 @@ func buildEnsureShareCtr(
621623
Args: planner.Args().EnsureSharePaths(),
622624
Env: env,
623625
VolumeMounts: mounts,
626+
SecurityContext: ctrPrivSecurityContext(),
624627
}
625628
}
626629

@@ -838,3 +841,10 @@ func imagePullPolicy(pl *pln.Planner) corev1.PullPolicy {
838841
}
839842
return pullPolicy
840843
}
844+
845+
func ctrPrivSecurityContext() *corev1.SecurityContext {
846+
return &corev1.SecurityContext{
847+
Privileged: &[]bool{true}[0],
848+
RunAsNonRoot: &[]bool{false}[0],
849+
}
850+
}

0 commit comments

Comments
 (0)