Drop capabilities for most of containers (#500)

informalict · ajanikow · commit d79065bfbd9d · 2019-11-14T10:00:35.000+01:00
diff --git a/pkg/util/k8sutil/pods.go b/pkg/util/k8sutil/pods.go
@@ -297,9 +297,10 @@ func arangodInitContainer(name, id, engine, alpineImage string, requireUUID bool
 			"-c",
 			command,
 		},
-		Name:         name,
-		Image:        alpineImage,
-		VolumeMounts: arangodVolumeMounts(),
+		Name:            name,
+		Image:           alpineImage,
+		VolumeMounts:    arangodVolumeMounts(),
+		SecurityContext: SecurityContextWithoutCapabilities(),
 	}
 	return c
 }
@@ -412,6 +413,7 @@ func arangodbexporterContainer(image string, imagePullPolicy v1.PullPolicy, args
 				Protocol:      v1.ProtocolTCP,
 			},
 		},
+		SecurityContext: SecurityContextWithoutCapabilities(),
 	}
 	for k, v := range env {
 		c.Env = append(c.Env, v.CreateEnvVar(k))
@@ -494,6 +496,7 @@ func initLifecycleContainer(image string) (v1.Container, error) {
 		Image:           image,
 		ImagePullPolicy: v1.PullIfNotPresent,
 		VolumeMounts:    lifecycleVolumeMounts(),
+		SecurityContext: SecurityContextWithoutCapabilities(),
 	}
 	return c, nil
 }
@@ -574,7 +577,8 @@ func CreateArangodPod(kubecli kubernetes.Interface, developmentMode bool, deploy
 	}
 
 	// Add arangod container
-	c := arangodContainer(image, imagePullPolicy, args, env, livenessProbe, readinessProbe, lifecycle, lifecycleEnvVars, resources, vct != nil)
+	c :=
+		arangodContainer(image, imagePullPolicy, args, env, livenessProbe, readinessProbe, lifecycle, lifecycleEnvVars, resources, vct != nil)
 	if tlsKeyfileSecretName != "" {
 		c.VolumeMounts = append(c.VolumeMounts, tlsKeyfileVolumeMounts()...)
 	}
@@ -831,7 +835,7 @@ func createPod(kubecli kubernetes.Interface, pod *v1.Pod, ns string, owner metav
 func SecurityContextWithoutCapabilities() *v1.SecurityContext {
 	return &v1.SecurityContext{
 		Capabilities: &v1.Capabilities{
-			Drop: []v1.Capability{"all"},
+			Drop: []v1.Capability{"ALL"},
 		},
 	}
 }
diff --git a/reboot.go b/reboot.go
@@ -173,6 +173,7 @@ func runVolumeInspector(ctx context.Context, kube kubernetes.Interface, ns, name
 							},
 						},
 					},
+					SecurityContext: k8sutil.SecurityContextWithoutCapabilities(),
 				},
 			},
 			Volumes: []corev1.Volume{

Original file line number	Diff line number	Diff line change
`@@ -297,9 +297,10 @@ func arangodInitContainer(name, id, engine, alpineImage string, requireUUID bool`
`297`	`297`	`"-c",`
`298`	`298`	`command,`
`299`	`299`	`},`
`300`		`- Name: name,`
`301`		`- Image: alpineImage,`
`302`		`- VolumeMounts: arangodVolumeMounts(),`
	`300`	`+ Name: name,`
	`301`	`+ Image: alpineImage,`
	`302`	`+ VolumeMounts: arangodVolumeMounts(),`
	`303`	`+ SecurityContext: SecurityContextWithoutCapabilities(),`
`303`	`304`	`}`
`304`	`305`	`return c`
`305`	`306`	`}`
`@@ -412,6 +413,7 @@ func arangodbexporterContainer(image string, imagePullPolicy v1.PullPolicy, args`
`412`	`413`	`Protocol: v1.ProtocolTCP,`
`413`	`414`	`},`
`414`	`415`	`},`
	`416`	`+ SecurityContext: SecurityContextWithoutCapabilities(),`
`415`	`417`	`}`
`416`	`418`	`for k, v := range env {`
`417`	`419`	`c.Env = append(c.Env, v.CreateEnvVar(k))`
`@@ -494,6 +496,7 @@ func initLifecycleContainer(image string) (v1.Container, error) {`
`494`	`496`	`Image: image,`
`495`	`497`	`ImagePullPolicy: v1.PullIfNotPresent,`
`496`	`498`	`VolumeMounts: lifecycleVolumeMounts(),`
	`499`	`+ SecurityContext: SecurityContextWithoutCapabilities(),`
`497`	`500`	`}`
`498`	`501`	`return c, nil`
`499`	`502`	`}`
`@@ -574,7 +577,8 @@ func CreateArangodPod(kubecli kubernetes.Interface, developmentMode bool, deploy`
`574`	`577`	`}`
`575`	`578`
`576`	`579`	`// Add arangod container`
`577`		`- c := arangodContainer(image, imagePullPolicy, args, env, livenessProbe, readinessProbe, lifecycle, lifecycleEnvVars, resources, vct != nil)`
	`580`	`+ c :=`
	`581`	`+ arangodContainer(image, imagePullPolicy, args, env, livenessProbe, readinessProbe, lifecycle, lifecycleEnvVars, resources, vct != nil)`
`578`	`582`	`if tlsKeyfileSecretName != "" {`
`579`	`583`	`c.VolumeMounts = append(c.VolumeMounts, tlsKeyfileVolumeMounts()...)`
`580`	`584`	`}`
`@@ -831,7 +835,7 @@ func createPod(kubecli kubernetes.Interface, pod *v1.Pod, ns string, owner metav`
`831`	`835`	`func SecurityContextWithoutCapabilities() *v1.SecurityContext {`
`832`	`836`	`return &v1.SecurityContext{`
`833`	`837`	`Capabilities: &v1.Capabilities{`
`834`		`- Drop: []v1.Capability{"all"},`
	`838`	`+ Drop: []v1.Capability{"ALL"},`
`835`	`839`	`},`
`836`	`840`	`}`
`837`	`841`	`}`