diff --git a/pkg/controller/provider/ova-setup.go b/pkg/controller/provider/ova-setup.go index 776b8cdf8..710be8864 100644 --- a/pkg/controller/provider/ova-setup.go +++ b/pkg/controller/provider/ova-setup.go @@ -193,6 +193,8 @@ func (r *Reconciler) makeOvaProviderPodSpec(pvcName string, providerName string) nfsVolumeName := fmt.Sprintf("%s-%s", nfsVolumeNamePrefix, providerName) ovaContainerName := fmt.Sprintf("%s-pod-%s", ovaServer, providerName) + allowPrivilegeEscalation := false + runAsNonRoot := true return core.PodSpec{ Containers: []core.Container{ @@ -206,6 +208,13 @@ func (r *Reconciler) makeOvaProviderPodSpec(pvcName string, providerName string) MountPath: mountPath, }, }, + SecurityContext: &core.SecurityContext{ + AllowPrivilegeEscalation: &allowPrivilegeEscalation, + RunAsNonRoot: &runAsNonRoot, + Capabilities: &core.Capabilities{ + Drop: []core.Capability{"ALL"}, + }, + }, }, }, Volumes: []core.Volume{