squakez opened a new pull request, #5461:
URL: https://github.com/apache/camel-k/pull/5461
<!-- Description -->
This PR introduce a default value for both Pod and Container Security
Context in order to strengthen the security on the cluster and avoid possible
privilege escalations. Note that we still must set `runAsNonRoot` value as
`false` by default as we are building container to run with `root` user. We
will work on a follow up issue to remove such a constraint and set this default
as `true` when we are ready.
The resulting Pod executed (whichever is the controller strategy) will be
like the following:
```
spec:
containers:
- args:
- echo exec java -cp ...
image:
10.100.107.57/default/camel-k-kit-costpl3m17ss73c14n40@sha256:42965134843fe61db6ac1ebf965d28f33a22b5159e10c48ed64f112e34b78442
imagePullPolicy: IfNotPresent
name: integration
...
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: false
seccompProfile:
type: RuntimeDefault
...
securityContext:
runAsNonRoot: false
seccompProfile:
type: RuntimeDefault
serviceAccount: default
...
```
The default configuration is enriched automatically in Openshift cluster
which are already enforcing these policies with the addition of a default
`runAsUser` value.
<!--
Enter your extended release note in the below block. If the PR requires
additional action from users switching to the new release, include the string
"action required". If no release note is required, write "NONE".
You can (optionally) mark this PR with labels "kind/bug" or "kind/feature"
to make sure
the text is added to the right section of the release notes.
-->
**Release Note**
```release-note
feat(trait): Pod and Container security context
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
