In order to comply with the restricted PSA profile, the pod needs to have runAsNonRoot: true, and all containers need to have allowPrivilegeEscalation:false and drop all capabilities.
Also the Dockerfile should set a USER.
On Kubernetes we would also need to set seccompProfile.type: RuntimeDefault.
This will be added by a new make target bundle-k8s for community (k8s) releases, since it would break deployment on OCP 4.10 though.
Therefore, it would be be empty by default.
Needs approval from an approver in each of these files:
- ~~[OWNERS](https://github.com/medik8s/node-maintenance-operator/blob/main/OWNERS)~~ [razo7]
Approvers can indicate their approval by writing `/approve` in a comment
Approvers can cancel approval by writing `/approve cancel` in a comment
In order to comply with the restricted PSA profile, the pod needs to have
runAsNonRoot: true
, and all containers need to haveallowPrivilegeEscalation:false
and drop all capabilities. Also the Dockerfile should set a USER.On Kubernetes we would also need to set
seccompProfile.type: RuntimeDefault
. This will be added by a new make targetbundle-k8s
for community (k8s) releases, since it would break deployment on OCP 4.10 though. Therefore, it would be be empty by default.Related docs: