resources: set SecurityContext for privileged containers

Define explicit SecurityContext entry for containers which require privileged capabilities. Required when running over OpenShift cluster. Signed-off-by: Shachar Sharon <[email protected]>
phlogistonjohn · Mar 23, 2023 · 6be54e3 · 6be54e3
1 parent 2c5a5ba
commit 6be54e3
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/internal/resources/pods.go b/internal/resources/pods.go
@@ -482,6 +482,7 @@ func buildSmbdCtr(
 				},
 			},
 		},
+		SecurityContext: ctrPrivSecurityContext(),
 	}
 }
 
@@ -589,6 +590,7 @@ func buildSvcWatchCtr(
 		Name:            "svc-watch",
 		Env:             env,
 		VolumeMounts:    mounts,
+		SecurityContext: ctrPrivSecurityContext(),
 	}
 }
 
@@ -621,6 +623,7 @@ func buildEnsureShareCtr(
 		Args:            planner.Args().EnsureSharePaths(),
 		Env:             env,
 		VolumeMounts:    mounts,
+		SecurityContext: ctrPrivSecurityContext(),
 	}
 }
 
@@ -838,3 +841,10 @@ func imagePullPolicy(pl *pln.Planner) corev1.PullPolicy {
 	}
 	return pullPolicy
 }
+
+func ctrPrivSecurityContext() *corev1.SecurityContext {
+	return &corev1.SecurityContext{
+		Privileged:   &[]bool{true}[0],
+		RunAsNonRoot: &[]bool{false}[0],
+	}
+}