Skip to content

Commit

Permalink
Add a seccompProfile to the pod
Browse files Browse the repository at this point in the history
  • Loading branch information
@shanman190
shanman190 committed Mar 8, 2024
1 parent ddad53a commit e9b6cc0
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 1 deletion.
3 changes: 3 additions & 0 deletions job-task-runner/controllers/integration/taskworkload_controller_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,9 @@ var _ = Describe("Job TaskWorkload Controller Integration Test", func() {
Expect(podSpec.RestartPolicy).To(Equal(corev1.RestartPolicyNever))
Expect(podSpec.SecurityContext).To(Equal(&corev1.PodSecurityContext{
RunAsNonRoot: tools.PtrTo(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
}))
Expect(podSpec.AutomountServiceAccountToken).To(Equal(tools.PtrTo(false)))
Expect(podSpec.ImagePullSecrets).To(ConsistOf(corev1.LocalObjectReference{Name: "my-image-secret"}))
Expand Down
3 changes: 3 additions & 0 deletions job-task-runner/controllers/taskworkload_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,9 @@ func (r *TaskWorkloadReconciler) workloadToJob(taskWorkload *korifiv1alpha1.Task
RestartPolicy: corev1.RestartPolicyNever,
SecurityContext: &corev1.PodSecurityContext{
RunAsNonRoot: tools.PtrTo(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
AutomountServiceAccountToken: tools.PtrTo(false),
ImagePullSecrets: taskWorkload.Spec.ImagePullSecrets,
Expand Down
3 changes: 3 additions & 0 deletions statefulset-runner/controllers/appworkload_to_stset.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,9 @@ func (r *AppWorkloadToStatefulsetConverter) Convert(appWorkload *korifiv1alpha1.
ImagePullSecrets: appWorkload.Spec.ImagePullSecrets,
SecurityContext: &corev1.PodSecurityContext{
RunAsNonRoot: tools.PtrTo(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
ServiceAccountName: ServiceAccountName,
},
Expand Down
7 changes: 6 additions & 1 deletion statefulset-runner/controllers/appworkload_to_stset_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ var _ = Describe("AppWorkload to StatefulSet Converter", func() {
}))
})

It("should set the seccomp profile", func() {
It("should set the seccomp profile on the container", func() {
Expect(statefulSet.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile).NotTo(BeNil())
Expect(*statefulSet.Spec.Template.Spec.Containers[0].SecurityContext.SeccompProfile).To(Equal(corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}))
})
Expand Down Expand Up @@ -212,6 +212,11 @@ var _ = Describe("AppWorkload to StatefulSet Converter", func() {
Expect(*statefulSet.Spec.Template.Spec.SecurityContext.RunAsNonRoot).To(BeTrue())
})

It("should set the seccomp profile on the pod", func() {
Expect(statefulSet.Spec.Template.Spec.SecurityContext.SeccompProfile).NotTo(BeNil())
Expect(*statefulSet.Spec.Template.Spec.SecurityContext.SeccompProfile).To(Equal(corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}))
})

It("should set soft inter-pod anti-affinity", func() {
podAntiAffinity := statefulSet.Spec.Template.Spec.Affinity.PodAntiAffinity
Expect(podAntiAffinity.RequiredDuringSchedulingIgnoredDuringExecution).To(BeEmpty())
Expand Down

0 comments on commit e9b6cc0

Please sign in to comment.