Do not drop all capabilities

- previous configurations didn't work with ESXi runtime
- dropping all capabilities except CHOWN, DAC_OVERRIDE, and FOWNER
- CHOWN is necessary to change a file's
owner, the second is necessary to permit chown to traverse directories
to which root doesn't otherwise have access. FOWNER bypass checks on operations
that require the file system UID of the process to match the UID of the file.

Author: ChunyiLyu

internal/resource/statefulset.go

@@ -521,8 +521,20 @@ func (builder *StatefulSetBuilder) podTemplateSpec(previousPodAnnotations map[st
 					SecurityContext: &corev1.SecurityContext{
 						RunAsUser: pointer.Int64Ptr(0),
 						Capabilities: &corev1.Capabilities{
-							Drop: []corev1.Capability{"ALL"},
-							Add:  []corev1.Capability{"CHOWN", "FOWNER"},
+							// drop default set from Docker except for CHOWN, FOWNER, and DAC_OVERRIDE
+							Drop: []corev1.Capability{
+								"FSETID",
+								"KILL",
+								"SETGID",
+								"SETUID",
+								"SETPCAP",
+								"NET_BIND_SERVICE",
+								"NET_RAW",
+								"SYS_CHROOT",
+								"MKNOD",
+								"AUDIT_WRITE",
+								"SETFCAP",
+							},
 						},
 					},
 					Command: []string{

internal/resource/statefulset_test.go

@@ -1086,8 +1086,20 @@ var _ = Describe("StatefulSet", func() {
 				"Image": Equal("rabbitmq-image-from-cr"),
 				"SecurityContext": PointTo(MatchFields(IgnoreExtras, Fields{
 					"Capabilities": PointTo(MatchAllFields(Fields{
-						"Drop": ConsistOf([]corev1.Capability{"ALL"}),
-						"Add":  ConsistOf([]corev1.Capability{"CHOWN", "FOWNER"}),
+						"Drop": ConsistOf([]corev1.Capability{
+							"FSETID",
+							"KILL",
+							"SETGID",
+							"SETUID",
+							"SETPCAP",
+							"NET_BIND_SERVICE",
+							"NET_RAW",
+							"SYS_CHROOT",
+							"MKNOD",
+							"AUDIT_WRITE",
+							"SETFCAP",
+						}),
+						"Add": BeEmpty(),
 					})),
 				})),
 				"Command": ConsistOf(