chore(ci): add seccomp policies

.dmtlint.yaml

@@ -53,36 +53,3 @@ linters-settings:
           - tools/addlicense/testdata
           - test/performance/ssh
           - test/e2e/legacy/testdata/sshkeys
-  container:
-    exclude-rules:
-      seccomp-profile:
-        - kind: Deployment
-          name: virt-operator
-          container: kube-rbac-proxy
-        - kind: Deployment
-          name: virt-operator
-          container: virt-operator
-        - kind: Deployment
-          name: dvcr
-          container: dvcr
-        - kind: Deployment
-          name: dvcr
-          container: kube-rbac-proxy
-        - kind: Job
-          name: pre-delete-hook
-          container: pre-delete-hook
-        - kind: Deployment
-          name: virtualization-controller
-          container: virtualization-controller
-        - kind: Deployment
-          name: virtualization-controller
-          container: kube-rbac-proxy
-        - kind: Deployment
-          name: cdi-operator
-          container: kube-rbac-proxy
-        - kind: Deployment
-          name: cdi-operator
-          container: cdi-operator
-        - kind: Deployment
-          name: virtualization-api
-          container: virtualization-api

templates/cdi/cdi-operator/deployment.yaml

@@ -89,7 +89,7 @@ spec:
       ) }}
       {{- include "kube_rbac_proxy.sidecar_container" (tuple . $kubeRbacProxySettings) | nindent 6 }}
       - name: cdi-operator
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 8 }}
         env:
         {{- include "kube_api_rewriter.kubeconfig_env" . | nindent 8 }}
         {{- include "cdi_images" . | nindent 8 }}

templates/dvcr/deployment.yaml

@@ -79,7 +79,7 @@ spec:
       {{ include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "dvcr")) | nindent 6 }}
       containers:
         - name: dvcr
-          {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 10 }}
+          {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 10 }}
           image: {{ include "helm_lib_module_image" (list . "dvcr") }}
           imagePullPolicy: IfNotPresent
           command:

templates/kube-rbac-proxy/_helpers.tpl

@@ -2,7 +2,7 @@
 {{- $ctx := index . 0 }}
 {{- $settings := index . 1 }}
 - name: {{ $settings.containerName | default "kube-rbac-proxy" }}
-  {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" $ctx | nindent 2 }}
+  {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" $ctx | nindent 2 }}
   {{- if eq $settings.runAsUserNobody true }}
     runAsNonRoot: true
     runAsUser: 65534

templates/kubevirt/virt-operator/deployment.yaml

@@ -107,7 +107,7 @@ spec:
       ) }}
       {{- include "kube_rbac_proxy.sidecar_container" (tuple . $kubeRbacProxySettings) | nindent 6 }}
       - name: virt-operator
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 8 }}
         args:
         - --port
         - "8443"

templates/pre-delete-hook/job.yaml

@@ -18,7 +18,7 @@ spec:
       serviceAccountName: pre-delete-hook
       containers:
       - name: pre-delete-hook
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 8 }}
         image: {{ include "helm_lib_module_image" (list . "preDeleteHook") }}
         env:
         - name: WAIT_TIMEOUT

templates/virtualization-api/deployment.yaml

@@ -75,7 +75,7 @@ spec:
       {{ include "helm_lib_pod_anti_affinity_for_ha" (list . (dict "app" "virtualization-api")) | nindent 6 }}
       containers:
         - name: virtualization-api
-          {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 10 }}
+          {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 10 }}
           args:
             - --kubevirt-cabundle=/etc/virt-api/certificates/ca.crt
             - --kubevirt-endpoint=virt-api.d8-{{ .Chart.Name}}.svc

templates/virtualization-controller/deployment.yaml

@@ -78,7 +78,7 @@ spec:
       containers:
         {{- include "kube_api_rewriter.sidecar_container" . | nindent 8 }}
         - name: virtualization-controller
-          {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 10 }}
+          {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . | nindent 10 }}
           image: {{ include "helm_lib_module_image" (list . "virtualizationController") }}
           imagePullPolicy: IfNotPresent
           {{- if (.Values.global.enabledModules | has "sdn") }}