drop all capabilities when CAP is not assigned

OpenNMS · Oct 12, 2023 · fd6c051 · fd6c051
1 parent 756e68b
commit fd6c051
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 5 deletions.
diff --git a/horizon/templates/opennms-core.statefulset.yaml b/horizon/templates/opennms-core.statefulset.yaml
@@ -43,11 +43,14 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           {{- if eq (include "onOpenShift" .) "true" }}
-          {{- if has "CAP_NET_RAW" ((.Values.dependencies.securitycontext).allowedCapabilities) }}
           capabilities:
+          {{- if has "CAP_NET_RAW" (.Values.dependencies.securitycontext).allowedCapabilities }}
             add:
              - CAP_NET_RAW
-         {{- end }}
+          {{- else }}
+            drop:
+             - ALL
+          {{- end }}
          {{- end }}
          {{- end }}
       terminationGracePeriodSeconds: {{ .Values.core.terminationGracePeriodSeconds | default 120 }}
@@ -98,10 +101,13 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           {{- if eq (include "onOpenShift" .) "true" }}
-          {{- if has "CAP_NET_RAW" (.Values.dependencies.securitycontext).allowedCapabilities }}
           capabilities:
+          {{- if has "CAP_NET_RAW" (.Values.dependencies.securitycontext).allowedCapabilities }}
             add:
              - CAP_NET_RAW
+          {{- else }}
+            drop:
+             - ALL
           {{- end }}
           {{- end }}
         {{- end }}
@@ -139,10 +145,13 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           {{- if eq (include "onOpenShift" .) "true" }}
-          {{- if has "CAP_NET_RAW" (.Values.dependencies.securitycontext).allowedCapabilities }}
           capabilities:
+          {{- if has "CAP_NET_RAW" (.Values.dependencies.securitycontext).allowedCapabilities }}
             add:
              - CAP_NET_RAW
+          {{- else }}
+            drop:
+             - ALL
           {{- end }}
           {{- end }}
          {{- end }}

diff --git a/horizon/templates/opennms-sentinel.statefulset.yaml b/horizon/templates/opennms-sentinel.statefulset.yaml
@@ -38,9 +38,16 @@ spec:
           runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
+          {{- if eq (include "onOpenShift" .) "true" }}
           capabilities:
+          {{- if has "CAP_NET_RAW" (.Values.dependencies.securitycontext).allowedCapabilities }}
             add:
-             - NET_RAW
+             - CAP_NET_RAW
+          {{- else }}
+            drop:
+             - ALL
+          {{- end }}
+          {{- end }}
       {{- end }}
       terminationGracePeriodSeconds: {{ .Values.sentinel.terminationGracePeriodSeconds | default 60 }}
       {{- if .Values.imagePullSecrets }}

diff --git a/minion/templates/minion-deployment.yaml b/minion/templates/minion-deployment.yaml
@@ -32,6 +32,9 @@ spec:
           capabilities:
             add:
              - CAP_NET_RAW
+          {{- else }}
+            drop:
+             - ALL
          {{- end }}
          {{- end }}
       {{- end }}