apitech
/
loki
mirror of https://github.com/grafana/loki
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Like Prometheus, but for logs.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8035 Commits
1078 Branches
354 Tags
754 MiB
 
 
 
 
 
 
Tag: Branch: Tree: a2c8ec7dc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a2c8ec7dc1'
${ noResults }
loki/operator/internal/manifests/securitycontext.go

41 lines
1.0 KiB
Raw Blame History

package manifests
import (
"github.com/ViaQ/logerr/v2/kverrors"
"github.com/imdario/mergo"
corev1 "k8s.io/api/core/v1"
"k8s.io/utils/ptr"
)
func configurePodSpecForRestrictedStandard(podSpec *corev1.PodSpec) error {
podSecurityContext := corev1.PodSpec{
SecurityContext: &corev1.PodSecurityContext{
RunAsNonRoot: ptr.To(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
}
containerSecurityContext := corev1.Container{
SecurityContext: &corev1.SecurityContext{
AllowPrivilegeEscalation: ptr.To(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
},
}
for i, container := range podSpec.Containers {
if err := mergo.Merge(&container, containerSecurityContext, mergo.WithOverride); err != nil {
return err
}
podSpec.Containers[i] = container
}
if err := mergo.Merge(podSpec, podSecurityContext, mergo.WithOverride); err != nil {
return kverrors.Wrap(err, "failed to merge pod security context")
}
return nil
}