depl: drop capabilities from all plugins

tkatila · tkatila · commit a5f5553e8b1c · 2025-01-02T14:25:48.000+02:00
Signed-off-by: Tuomas Katila &lt;tuomas.katila@intel.com&gt;
diff --git a/deployments/dlb_plugin/base/intel-dlb-plugin.yaml b/deployments/dlb_plugin/base/intel-dlb-plugin.yaml
@@ -31,7 +31,12 @@ spec:
         securityContext:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
-        terminationMessagePath: /tmp/termination-log          
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+        terminationMessagePath: /tmp/termination-log
         resources:
           requests:
             memory: "15Mi"
diff --git a/deployments/dsa_plugin/base/intel-dsa-plugin.yaml b/deployments/dsa_plugin/base/intel-dsa-plugin.yaml
@@ -33,6 +33,11 @@ spec:
             type: "container_device_plugin_t"
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
         resources:
           requests:
             memory: "25Mi"
diff --git a/deployments/fpga_plugin/base/intel-fpga-plugin-daemonset.yaml b/deployments/fpga_plugin/base/intel-fpga-plugin-daemonset.yaml
@@ -42,8 +42,15 @@ spec:
           - -mode=af
         terminationMessagePath: /tmp/termination-log
         securityContext:
+          seLinuxOptions:
+            type: "container_device_plugin_t"
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
         resources:
           requests:
             memory: "30Mi"
diff --git a/deployments/gpu_plugin/base/intel-gpu-plugin.yaml b/deployments/gpu_plugin/base/intel-gpu-plugin.yaml
@@ -36,6 +36,11 @@ spec:
             type: "container_device_plugin_t"
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
         resources:
           requests:
             memory: "45Mi"
diff --git a/deployments/iaa_plugin/base/intel-iaa-plugin.yaml b/deployments/iaa_plugin/base/intel-iaa-plugin.yaml
@@ -33,6 +33,11 @@ spec:
             type: "container_device_plugin_t"
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
         resources:
           requests:
             memory: "25Mi"
diff --git a/deployments/qat_plugin/base/intel-qat-plugin.yaml b/deployments/qat_plugin/base/intel-qat-plugin.yaml
@@ -36,6 +36,11 @@ spec:
             type: "container_device_plugin_t"
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
         imagePullPolicy: IfNotPresent
         resources:
           requests:
diff --git a/deployments/sgx_plugin/base/intel-sgx-plugin.yaml b/deployments/sgx_plugin/base/intel-sgx-plugin.yaml
@@ -27,6 +27,11 @@ spec:
             type: "container_device_plugin_t"
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
         imagePullPolicy: IfNotPresent
         resources:
           requests:
