scripts: Add downstream-only patches for custom Pod securityContext configurations

timflannagan · timflannagan · commit b5b49fe39191 · 2022-05-02T12:27:06.000-04:00
Signed-off-by: timflannagan &lt;timflannagan@gmail.com&gt;
diff --git a/scripts/catalog-deployment.patch.yaml b/scripts/catalog-deployment.patch.yaml
@@ -9,3 +9,16 @@
   value:
     name: RELEASE_VERSION
     value: "0.0.1-snapshot"
+- command: update
+  path: spec.template.spec.containers[*].securityContext
+  value:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["ALL"]
+- command: update
+  path: spec.template.spec.securityContext
+  value:
+    runAsNonRoot: true
+    runAsUser: 65534
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/scripts/olm-deployment.patch.yaml b/scripts/olm-deployment.patch.yaml
@@ -9,3 +9,16 @@
   value:
     name: RELEASE_VERSION
     value: "0.0.1-snapshot"
+- command: update
+  path: spec.template.spec.containers[*].securityContext
+  value:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["ALL"]
+- command: update
+  path: spec.template.spec.securityContext
+  value:
+    runAsNonRoot: true
+    runAsUser: 65534
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/scripts/packageserver-deployment.patch.yaml b/scripts/packageserver-deployment.patch.yaml
@@ -33,3 +33,16 @@
             values:
             - packageserver
         topologyKey: "kubernetes.io/hostname"
+- command: update
+  path: spec.install.spec.deployments[0].spec.template.spec.containers[*].securityContext
+  value:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["ALL"]
+- command: update
+  path: spec.install.spec.deployments[0].spec.template.spec.securityContext
+  value:
+    runAsNonRoot: true
+    runAsUser: 65534
+    seccompProfile:
+      type: RuntimeDefault
