Fix creation of ova provider in restricted namespaces.

Currently migration to restricted namespaces is working but the provider creation is failing since the ova-server pod doesn't have proper security configuration to run on such namespaces, this fix adds the missing parts. Signed-off-by: Bella Khizgiyaev <[email protected]>
kubev2v · Oct 24, 2023 · 1e95042 · 1e95042
1 parent cf8277d
commit 1e95042
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/pkg/controller/provider/ova-setup.go b/pkg/controller/provider/ova-setup.go
@@ -193,6 +193,8 @@ func (r *Reconciler) makeOvaProviderPodSpec(pvcName string, providerName string)
 
 	nfsVolumeName := fmt.Sprintf("%s-%s", nfsVolumeNamePrefix, providerName)
 	ovaContainerName := fmt.Sprintf("%s-pod-%s", ovaServer, providerName)
+	allowPrivilegeEscalation := false
+	nonRoot := true
 
 	return core.PodSpec{
 		Containers: []core.Container{
@@ -206,6 +208,13 @@ func (r *Reconciler) makeOvaProviderPodSpec(pvcName string, providerName string)
 						MountPath: mountPath,
 					},
 				},
+				SecurityContext: &core.SecurityContext{
+					AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+					RunAsNonRoot:             &nonRoot,
+					Capabilities: &core.Capabilities{
+						Drop: []core.Capability{"ALL"},
+					},
+				},
 			},
 		},
 		Volumes: []core.Volume{