manifests/deployment: comply to restricted pod security level (#616)

s-urbaniak · web-flow · commit e0392159de95 · 2022-05-09T12:04:06.000-04:00
diff --git a/manifests/06-deployment-ibm-cloud-managed.yaml b/manifests/06-deployment-ibm-cloud-managed.yaml
@@ -20,6 +20,10 @@ spec:
       labels:
         app: insights-operator
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - args:
         - start
@@ -38,6 +42,10 @@ spec:
           value: 0.0.1-snapshot
         image: quay.io/openshift/origin-insights-operator:latest
         name: insights-operator
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
         ports:
         - containerPort: 8443
           name: https
diff --git a/manifests/06-deployment.yaml b/manifests/06-deployment.yaml
@@ -21,6 +21,10 @@ spec:
       labels:
         app: insights-operator
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: operator
       priorityClassName: system-cluster-critical
       nodeSelector:
@@ -56,6 +60,10 @@ spec:
           optional: true
       containers:
       - name: insights-operator
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
         image: quay.io/openshift/origin-insights-operator:latest
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
