Update Ansible sample to comply with Pod Security Standards (#5853)

* 🌱 update Ansible sample to show how the Pods/Containers should be configured as restrictive * fix nit format
operator-framework · Jun 13, 2022 · 584ada8 · 584ada8
1 parent bf3bc89
commit 584ada8
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/hack/generate/samples/internal/ansible/constants.go b/hack/generate/samples/internal/ansible/constants.go
@@ -26,6 +26,10 @@ const roleFragment = `
         labels:
           app: memcached
       spec:
+        securityContext:
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         replicas: "{{size}}"
         selector:
           matchLabels:
@@ -37,6 +41,11 @@ const roleFragment = `
           spec:
             containers:
             - name: memcached
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - "ALL"
               command:
               - memcached
               - -m=64

diff --git a/testdata/ansible/memcached-operator/roles/memcached/tasks/main.yml b/testdata/ansible/memcached-operator/roles/memcached/tasks/main.yml
@@ -11,6 +11,10 @@
         labels:
           app: memcached
       spec:
+        securityContext:
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         replicas: "{{size}}"
         selector:
           matchLabels:
@@ -22,6 +26,11 @@
           spec:
             containers:
             - name: memcached
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - "ALL"
               command:
               - memcached
               - -m=64