From cf1ed9486a0aeb657bcdcb72910d060d36f8d882 Mon Sep 17 00:00:00 2001 From: Jiaqi Luo <6218999+jiaqiluo@users.noreply.github.com> Date: Tue, 14 Dec 2021 11:37:08 -0700 Subject: [PATCH] (dev-v2.6-archive) drop all capabilities except CHOWN for the init container named init-chown-data (partially cherry picked from commit a4d91ecd3ecc362b1770c9cf3211d8559959c802) --- .../templates/podsecuritypolicy.yaml.patch | 22 ++++++++++++++++++- packages/rancher-webhook/package.yaml | 2 +- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/packages/rancher-grafana/generated-changes/patch/templates/podsecuritypolicy.yaml.patch b/packages/rancher-grafana/generated-changes/patch/templates/podsecuritypolicy.yaml.patch index 439672d3e..f1a91fd35 100644 --- a/packages/rancher-grafana/generated-changes/patch/templates/podsecuritypolicy.yaml.patch +++ b/packages/rancher-grafana/generated-changes/patch/templates/podsecuritypolicy.yaml.patch @@ -1,6 +1,6 @@ --- charts-original/templates/podsecuritypolicy.yaml +++ charts/templates/podsecuritypolicy.yaml -@@ -5,13 +5,9 @@ +@@ -5,19 +5,27 @@ name: {{ template "grafana.fullname" . }} labels: {{- include "grafana.labels" . | nindent 4 }} @@ -17,3 +17,23 @@ spec: privileged: false allowPrivilegeEscalation: false + requiredDropCapabilities: +- # Default set from Docker, with DAC_OVERRIDE and CHOWN +- - ALL ++ # The list comes from K8s' pod security standards, with only CHOWN left ++ # ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/ ++ - AUDIT_WRITE ++ - DAC_OVERRIDE ++ - FOWNER ++ - FSETID ++ - KILL ++ - MKNOD ++ - NET_BIND_SERVICE ++ - SETFCAP ++ - SETGID ++ - SETPCAP ++ - SETUID ++ - SYS_CHROOT + volumes: + - 'configMap' + - 'emptyDir' diff --git a/packages/rancher-webhook/package.yaml b/packages/rancher-webhook/package.yaml index cda9e1009..db8cb79a0 100644 --- a/packages/rancher-webhook/package.yaml +++ b/packages/rancher-webhook/package.yaml @@ -1,2 +1,2 @@ -url: https://github.com/rancher/webhook/releases/download/v0.2.2/rancher-webhook-0.2.2.tgz +url: https://github.com/rancher/webhook/releases/download/v0.2.2-rc2/rancher-webhook-0.2.2-rc2.tgz version: 1.0.2