Skip to content

Commit

Permalink
Fix creation of ova provider in restricted namespaces.
Browse files Browse the repository at this point in the history 
Signed-off-by: Bella Khizgiyaev <[email protected]>
  • Loading branch information
@bkhizgiy
bkhizgiy committed Oct 24, 2023
1 parent cf8277d commit a739c54
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions pkg/controller/provider/ova-setup.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,8 @@ func (r *Reconciler) makeOvaProviderPodSpec(pvcName string, providerName string)

nfsVolumeName := fmt.Sprintf("%s-%s", nfsVolumeNamePrefix, providerName)
ovaContainerName := fmt.Sprintf("%s-pod-%s", ovaServer, providerName)
allowPrivilegeEscalation := false
nonRoot := true

return core.PodSpec{
Containers: []core.Container{
Expand All @@ -206,6 +208,13 @@ func (r *Reconciler) makeOvaProviderPodSpec(pvcName string, providerName string)
MountPath: mountPath,
},
},
SecurityContext: &core.SecurityContext{
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
RunAsNonRoot: &nonRoot,
Capabilities: &core.Capabilities{
Drop: []core.Capability{"ALL"},
},
},
},
},
Volumes: []core.Volume{
Expand Down

0 comments on commit a739c54

Please sign in to comment.