diff --git a/.dmtlint.yaml b/.dmtlint.yaml index 3b1b6b4b8c..e3fea14ef1 100644 --- a/.dmtlint.yaml +++ b/.dmtlint.yaml @@ -53,36 +53,3 @@ linters-settings: - tools/addlicense/testdata - test/performance/ssh - test/e2e/legacy/testdata/sshkeys - container: - exclude-rules: - seccomp-profile: - - kind: Deployment - name: virt-operator - container: kube-rbac-proxy - - kind: Deployment - name: virt-operator - container: virt-operator - - kind: Deployment - name: dvcr - container: dvcr - - kind: Deployment - name: dvcr - container: kube-rbac-proxy - - kind: Job - name: pre-delete-hook - container: pre-delete-hook - - kind: Deployment - name: virtualization-controller - container: virtualization-controller - - kind: Deployment - name: virtualization-controller - container: kube-rbac-proxy - - kind: Deployment - name: cdi-operator - container: kube-rbac-proxy - - kind: Deployment - name: cdi-operator - container: cdi-operator - - kind: Deployment - name: virtualization-api - container: virtualization-api diff --git a/templates/cdi/cdi-operator/deployment.yaml b/templates/cdi/cdi-operator/deployment.yaml index d255dc092a..03381036fd 100644 --- a/templates/cdi/cdi-operator/deployment.yaml +++ b/templates/cdi/cdi-operator/deployment.yaml @@ -89,7 +89,7 @@ spec: ) }} {{- include "kube_rbac_proxy.sidecar_container" (tuple . $kubeRbacProxySettings) | nindent 6 }} - name: cdi-operator - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . | nindent 8 }} + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 8 }} env: {{- include "kube_api_rewriter.kubeconfig_env" . | nindent 8 }} {{- include "cdi_images" . | nindent 8 }} diff --git a/templates/dvcr/deployment.yaml b/templates/dvcr/deployment.yaml index 722ff35844..da470f41a6 100644 --- a/templates/dvcr/deployment.yaml +++ b/templates/dvcr/deployment.yaml @@ -79,7 +79,7 @@ spec: {{ include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "dvcr")) | nindent 6 }} containers: - name: dvcr - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 10 }} + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 10 }} image: {{ include "helm_lib_module_image" (list . "dvcr") }} imagePullPolicy: IfNotPresent command: diff --git a/templates/kube-rbac-proxy/_helpers.tpl b/templates/kube-rbac-proxy/_helpers.tpl index f047402707..da53f26101 100644 --- a/templates/kube-rbac-proxy/_helpers.tpl +++ b/templates/kube-rbac-proxy/_helpers.tpl @@ -2,7 +2,7 @@ {{- $ctx := index . 0 }} {{- $settings := index . 1 }} - name: {{ $settings.containerName | default "kube-rbac-proxy" }} - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" $ctx | nindent 2 }} + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" $ctx | nindent 2 }} {{- if eq $settings.runAsUserNobody true }} runAsNonRoot: true runAsUser: 65534 diff --git a/templates/kubevirt/virt-operator/deployment.yaml b/templates/kubevirt/virt-operator/deployment.yaml index 44d186acc7..10667c997a 100644 --- a/templates/kubevirt/virt-operator/deployment.yaml +++ b/templates/kubevirt/virt-operator/deployment.yaml @@ -107,7 +107,7 @@ spec: ) }} {{- include "kube_rbac_proxy.sidecar_container" (tuple . $kubeRbacProxySettings) | nindent 6 }} - name: virt-operator - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . | nindent 8 }} + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 8 }} args: - --port - "8443" diff --git a/templates/pre-delete-hook/job.yaml b/templates/pre-delete-hook/job.yaml index a27c94d746..15af983434 100644 --- a/templates/pre-delete-hook/job.yaml +++ b/templates/pre-delete-hook/job.yaml @@ -18,7 +18,7 @@ spec: serviceAccountName: pre-delete-hook containers: - name: pre-delete-hook - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }} + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 8 }} image: {{ include "helm_lib_module_image" (list . "preDeleteHook") }} env: - name: WAIT_TIMEOUT diff --git a/templates/virtualization-api/deployment.yaml b/templates/virtualization-api/deployment.yaml index 722a01b7b1..8dc878a3d8 100644 --- a/templates/virtualization-api/deployment.yaml +++ b/templates/virtualization-api/deployment.yaml @@ -75,7 +75,7 @@ spec: {{ include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "virtualization-api")) | nindent 6 }} containers: - name: virtualization-api - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 10 }} + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 10 }} args: - --kubevirt-cabundle=/etc/virt-api/certificates/ca.crt - --kubevirt-endpoint=virt-api.d8-{{ .Chart.Name}}.svc diff --git a/templates/virtualization-controller/deployment.yaml b/templates/virtualization-controller/deployment.yaml index d0cf32075b..680c4a9ec2 100644 --- a/templates/virtualization-controller/deployment.yaml +++ b/templates/virtualization-controller/deployment.yaml @@ -78,7 +78,7 @@ spec: containers: {{- include "kube_api_rewriter.sidecar_container" . | nindent 8 }} - name: virtualization-controller - {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 10 }} + {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 10 }} image: {{ include "helm_lib_module_image" (list . "virtualizationController") }} imagePullPolicy: IfNotPresent {{- if (.Values.global.enabledModules | has "sdn") }}