Merge pull request #1945 from tkatila/depl-drop-capabilities

depl: drop capabilities from all plugins

Author: mythi

deployments/dlb_plugin/base/intel-dlb-plugin.yaml

@@ -31,7 +31,12 @@ spec:
         securityContext:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
-        terminationMessagePath: /tmp/termination-log          
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+        terminationMessagePath: /tmp/termination-log
         resources:
           requests:
             memory: "15Mi"

deployments/dsa_plugin/base/intel-dsa-plugin.yaml

@@ -33,6 +33,11 @@ spec:
             type: "container_device_plugin_t"
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
         resources:
           requests:
             memory: "25Mi"

deployments/fpga_plugin/base/intel-fpga-plugin-daemonset.yaml

@@ -42,8 +42,15 @@ spec:
           - -mode=af
         terminationMessagePath: /tmp/termination-log
         securityContext:
+          seLinuxOptions:
+            type: "container_device_plugin_t"
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
         resources:
           requests:
             memory: "30Mi"

deployments/gpu_plugin/base/intel-gpu-plugin.yaml

@@ -36,6 +36,11 @@ spec:
             type: "container_device_plugin_t"
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
         resources:
           requests:
             memory: "45Mi"

deployments/gpu_plugin/overlays/levelzero/levelzero.yaml

@@ -6,6 +6,13 @@
     imagePullPolicy: IfNotPresent
     args:
       - "-v=2"
+    resources:
+      requests:
+        cpu: 25m
+        memory: 50Mi
+      limits:
+        cpu: 50m
+        memory: 100Mi
     securityContext:
       readOnlyRootFilesystem: true
       privileged: true

deployments/iaa_plugin/base/intel-iaa-plugin.yaml

@@ -33,6 +33,11 @@ spec:
             type: "container_device_plugin_t"
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
         resources:
           requests:
             memory: "25Mi"

deployments/qat_plugin/base/intel-qat-plugin.yaml

@@ -36,6 +36,11 @@ spec:
             type: "container_device_plugin_t"
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
         imagePullPolicy: IfNotPresent
         resources:
           requests:

deployments/sgx_plugin/base/intel-sgx-plugin.yaml

@@ -27,6 +27,11 @@ spec:
             type: "container_device_plugin_t"
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
         imagePullPolicy: IfNotPresent
         resources:
           requests:

pkg/controllers/dlb/controller_test.go

@@ -92,6 +92,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 							SecurityContext: &v1.SecurityContext{
 								ReadOnlyRootFilesystem:   &yes,
 								AllowPrivilegeEscalation: &no,
+								Capabilities:             &v1.Capabilities{Drop: []v1.Capability{"ALL"}},
+								SeccompProfile:           &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault},
 							},
 							Resources: v1.ResourceRequirements{
 								Limits: v1.ResourceList{

pkg/controllers/dsa/controller_test.go

@@ -96,6 +96,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 								},
 								ReadOnlyRootFilesystem:   &yes,
 								AllowPrivilegeEscalation: &no,
+								Capabilities:             &v1.Capabilities{Drop: []v1.Capability{"ALL"}},
+								SeccompProfile:           &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault},
 							},
 							Resources: v1.ResourceRequirements{
 								Limits: v1.ResourceList{

pkg/controllers/fpga/controller_test.go

@@ -91,8 +91,13 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 							ImagePullPolicy: "IfNotPresent",
 							Name:            appLabel,
 							SecurityContext: &v1.SecurityContext{
+								SELinuxOptions: &v1.SELinuxOptions{
+									Type: "container_device_plugin_t",
+								},
 								ReadOnlyRootFilesystem:   &yes,
 								AllowPrivilegeEscalation: &no,
+								Capabilities:             &v1.Capabilities{Drop: []v1.Capability{"ALL"}},
+								SeccompProfile:           &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault},
 							},
 							TerminationMessagePath: "/tmp/termination-log",
 							Resources: v1.ResourceRequirements{

pkg/controllers/gpu/controller_test.go

@@ -106,6 +106,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 								},
 								ReadOnlyRootFilesystem:   &yes,
 								AllowPrivilegeEscalation: &no,
+								Capabilities:             &v1.Capabilities{Drop: []v1.Capability{"ALL"}},
+								SeccompProfile:           &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault},
 							},
 							Resources: v1.ResourceRequirements{
 								Limits: v1.ResourceList{

pkg/controllers/iaa/controller_test.go

@@ -96,6 +96,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 								},
 								ReadOnlyRootFilesystem:   &yes,
 								AllowPrivilegeEscalation: &no,
+								Capabilities:             &v1.Capabilities{Drop: []v1.Capability{"ALL"}},
+								SeccompProfile:           &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault},
 							},
 							Resources: v1.ResourceRequirements{
 								Limits: v1.ResourceList{

pkg/controllers/qat/controller_test.go

@@ -100,6 +100,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 								},
 								ReadOnlyRootFilesystem:   &yes,
 								AllowPrivilegeEscalation: &no,
+								Capabilities:             &v1.Capabilities{Drop: []v1.Capability{"ALL"}},
+								SeccompProfile:           &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault},
 							},
 							Resources: v1.ResourceRequirements{
 								Limits: v1.ResourceList{

pkg/controllers/sgx/controller_test.go

@@ -88,6 +88,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 								},
 								ReadOnlyRootFilesystem:   &yes,
 								AllowPrivilegeEscalation: &no,
+								Capabilities:             &v1.Capabilities{Drop: []v1.Capability{"ALL"}},
+								SeccompProfile:           &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault},
 							},
 							Resources: v1.ResourceRequirements{
 								Limits: v1.ResourceList{