From dc0ad47dd48643749bac388543cc5df601a20aa7 Mon Sep 17 00:00:00 2001
From: David Grove <groved@us.ibm.com>
Date: Mon, 6 May 2024 15:21:47 -0400
Subject: [PATCH] add seccomp of RuntimeDefault on mcad manager pod

---
 config/manager/manager.yaml                              | 9 ++-------
 .../mcad-controller/templates/manager/deployment.yaml    | 4 ++++
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index 4108346..0f3efa5 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -45,13 +45,8 @@ spec:
       #               - linux
       securityContext:
         runAsNonRoot: true
-        # TODO(user): For common cases that do not require escalating privileges
-        # it is recommended to ensure that all your Pods/Containers are restrictive.
-        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
-        # Please uncomment the following code if your project does NOT have to work on old Kubernetes
-        # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
-        # seccompProfile:
-        #   type: RuntimeDefault
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - command:
         - /manager
diff --git a/deployment/mcad-controller/templates/manager/deployment.yaml b/deployment/mcad-controller/templates/manager/deployment.yaml
index 0bb4870..cac17b0 100644
--- a/deployment/mcad-controller/templates/manager/deployment.yaml
+++ b/deployment/mcad-controller/templates/manager/deployment.yaml
@@ -16,6 +16,8 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: {{ .Values.serviceAccount }}
       terminationGracePeriodSeconds: 10
       priorityClassName: system-node-critical
@@ -99,6 +101,8 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: {{ .Values.serviceAccount }}
       terminationGracePeriodSeconds: 10
       priorityClassName: system-node-critical