From 692d5ffb7ce1a09f038003f57aad2411d2f93474 Mon Sep 17 00:00:00 2001
From: Madalina Lazar <madalina.lazar@intel.com>
Date: Mon, 28 Nov 2022 18:03:50 +0000
Subject: [PATCH] Improve TAS container security

This commit will:
- drop all priviledges
- set allowPrivilegeEscalation to false
- set a non-root user for runAsGroup
- enable default seccompProfile

Signed-off-by: Madalina Lazar <madalina.lazar@intel.com>
---
 telemetry-aware-scheduling/deploy/tas-deployment.yaml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/telemetry-aware-scheduling/deploy/tas-deployment.yaml b/telemetry-aware-scheduling/deploy/tas-deployment.yaml
index 794e35d9..00ac5a5e 100644
--- a/telemetry-aware-scheduling/deploy/tas-deployment.yaml
+++ b/telemetry-aware-scheduling/deploy/tas-deployment.yaml
@@ -29,11 +29,14 @@ spec:
         imagePullPolicy: IfNotPresent
         securityContext:
           capabilities:
-            drop:
-              - all
+            drop: [ 'ALL' ]
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 10001
+          allowPrivilegeEscalation: false
+          runAsGroup: 10001
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
         - name: certs
           mountPath: /tas/cert