Overwrite only some settings in the security context when apparmor is…

… enabled It should overwrite only some settings in the security context when apparmor is enabled in order to keep the local seccomp profile in the security context. Change-Id: Ib48b8c4a63b773086ccef9c84538518829583adb Signed-off-by: Cosmin Cojocar <[email protected]>
kubernetes-sigs · Dec 11, 2024 · 97ffa5f · 97ffa5f
1 parent 3cb35b9
commit 97ffa5f
Showing 1 changed file with 7 additions and 8 deletions.
diff --git a/internal/pkg/manager/spod/spod_controller.go b/internal/pkg/manager/spod/spod_controller.go
@@ -576,15 +576,14 @@ func (r *ReconcileSPOd) getConfiguredSPOd(
 	if cfg.Spec.EnableAppArmor {
 		falsely, truly := false, true
 		var userRoot int64
-		// a more privileged mode is required when apparmor is enabled
+		// A more privileged mode is required when apparmor is enabled.
 		// TODO: review security model and provide a dynamic approach that can be case specific
-		templateSpec.Containers[bindata.ContainerIDDaemon].SecurityContext = &corev1.SecurityContext{
-			AllowPrivilegeEscalation: &truly,
-			Privileged:               &truly,
-			ReadOnlyRootFilesystem:   &falsely,
-			RunAsUser:                &userRoot,
-			RunAsGroup:               &userRoot,
-		}
+		sc := templateSpec.Containers[bindata.ContainerIDDaemon].SecurityContext
+		sc.AllowPrivilegeEscalation = &truly
+		sc.Privileged = &truly
+		sc.ReadOnlyRootFilesystem = &falsely
+		sc.RunAsUser = &userRoot
+		sc.RunAsGroup = &userRoot
 
 		templateSpec.Containers[bindata.ContainerIDDaemon].Args = append(
 			templateSpec.Containers[bindata.ContainerIDDaemon].Args,