From 73f5631064a864fa4d906d44aa5e2c8868af15d0 Mon Sep 17 00:00:00 2001
From: Bella Khizgiyaev <bkhizgiy@redhat.com>
Date: Wed, 8 Nov 2023 21:13:56 +0200
Subject: [PATCH] Backport https://github.com/kubev2v/forklift/pull/631

Signed-off-by: Bella Khizgiyaev <bkhizgiy@redhat.com>
---
 pkg/controller/provider/ova-setup.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkg/controller/provider/ova-setup.go b/pkg/controller/provider/ova-setup.go
index 776b8cdf8..3ee358ffd 100644
--- a/pkg/controller/provider/ova-setup.go
+++ b/pkg/controller/provider/ova-setup.go
@@ -193,6 +193,8 @@ func (r *Reconciler) makeOvaProviderPodSpec(pvcName string, providerName string)
 
 	nfsVolumeName := fmt.Sprintf("%s-%s", nfsVolumeNamePrefix, providerName)
 	ovaContainerName := fmt.Sprintf("%s-pod-%s", ovaServer, providerName)
+	allowPrivilegeEscalation := false
+	nonRoot := true
 
 	return core.PodSpec{
 		Containers: []core.Container{
@@ -206,6 +208,13 @@ func (r *Reconciler) makeOvaProviderPodSpec(pvcName string, providerName string)
 						MountPath: mountPath,
 					},
 				},
+				SecurityContext: &core.SecurityContext{
+					AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+					RunAsNonRoot:             &nonRoot,
+					Capabilities: &core.Capabilities{
+						Drop: []core.Capability{"ALL"},
+					},
+				},
 			},
 		},
 		Volumes: []core.Volume{