From 97ffa5f3a00e4644460e1f0a3c4b680dbe698209 Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar Date: Wed, 11 Dec 2024 12:16:06 +0000 Subject: [PATCH] Overwrite only some settings in the security context when apparmor is enabled It should overwrite only some settings in the security context when apparmor is enabled in order to keep the local seccomp profile in the security context. Change-Id: Ib48b8c4a63b773086ccef9c84538518829583adb Signed-off-by: Cosmin Cojocar --- internal/pkg/manager/spod/spod_controller.go | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/internal/pkg/manager/spod/spod_controller.go b/internal/pkg/manager/spod/spod_controller.go index ce01b32b63..4d2603e851 100644 --- a/internal/pkg/manager/spod/spod_controller.go +++ b/internal/pkg/manager/spod/spod_controller.go @@ -576,15 +576,14 @@ func (r *ReconcileSPOd) getConfiguredSPOd( if cfg.Spec.EnableAppArmor { falsely, truly := false, true var userRoot int64 - // a more privileged mode is required when apparmor is enabled + // A more privileged mode is required when apparmor is enabled. // TODO: review security model and provide a dynamic approach that can be case specific - templateSpec.Containers[bindata.ContainerIDDaemon].SecurityContext = &corev1.SecurityContext{ - AllowPrivilegeEscalation: &truly, - Privileged: &truly, - ReadOnlyRootFilesystem: &falsely, - RunAsUser: &userRoot, - RunAsGroup: &userRoot, - } + sc := templateSpec.Containers[bindata.ContainerIDDaemon].SecurityContext + sc.AllowPrivilegeEscalation = &truly + sc.Privileged = &truly + sc.ReadOnlyRootFilesystem = &falsely + sc.RunAsUser = &userRoot + sc.RunAsGroup = &userRoot templateSpec.Containers[bindata.ContainerIDDaemon].Args = append( templateSpec.Containers[bindata.ContainerIDDaemon].Args,