Merge pull request #622 from tspearconquest/security_context_values

181192 · web-flow · commit 4cfcb024b14a · 2023-10-29T17:29:05.000+01:00
Add support for setting seccomp profile and allow privilege escalatio…
diff --git a/cmd/azure-keyvault-secrets-webhook/pod.go b/cmd/azure-keyvault-secrets-webhook/pod.go
@@ -82,12 +82,20 @@ func (p podWebHook) getInitContainers() []corev1.Container {
 			},
 		},
 	}
+	if viper.IsSet("webhook_container_security_context_allow_privilege_escalation") {
+		container.SecurityContext.AllowPrivilegeEscalation = &[]bool{viper.GetBool("webhook_container_security_context_allow_privilege_escalation")}[0]
+	}
 	if viper.IsSet("webhook_container_security_context_user_uid") {
 		container.SecurityContext.RunAsUser = &[]int64{viper.GetInt64("webhook_container_security_context_user_uid")}[0]
 	}
 	if viper.IsSet("webhook_container_security_context_group_gid") {
 		container.SecurityContext.RunAsGroup = &[]int64{viper.GetInt64("webhook_container_security_context_group_gid")}[0]
 	}
+	if viper.IsSet("webhook_container_security_context_seccomp_runtime_default") && viper.GetBool("webhook_container_security_context_seccomp_runtime_default") {
+		container.SecurityContext.SeccompProfile = &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		}
+	}
 
 	return []corev1.Container{container}
 }

Original file line number	Diff line number	Diff line change
`@@ -82,12 +82,20 @@ func (p podWebHook) getInitContainers() []corev1.Container {`
`82`	`82`	`},`
`83`	`83`	`},`
`84`	`84`	`}`
	`85`	`+ if viper.IsSet("webhook_container_security_context_allow_privilege_escalation") {`
	`86`	`+ container.SecurityContext.AllowPrivilegeEscalation = &[]bool{viper.GetBool("webhook_container_security_context_allow_privilege_escalation")}[0]`
	`87`	`+ }`
`85`	`88`	`if viper.IsSet("webhook_container_security_context_user_uid") {`
`86`	`89`	`container.SecurityContext.RunAsUser = &[]int64{viper.GetInt64("webhook_container_security_context_user_uid")}[0]`
`87`	`90`	`}`
`88`	`91`	`if viper.IsSet("webhook_container_security_context_group_gid") {`
`89`	`92`	`container.SecurityContext.RunAsGroup = &[]int64{viper.GetInt64("webhook_container_security_context_group_gid")}[0]`
`90`	`93`	`}`
	`94`	`+ if viper.IsSet("webhook_container_security_context_seccomp_runtime_default") && viper.GetBool("webhook_container_security_context_seccomp_runtime_default") {`
	`95`	`+ container.SecurityContext.SeccompProfile = &corev1.SeccompProfile{`
	`96`	`+ Type: corev1.SeccompProfileTypeRuntimeDefault,`
	`97`	`+ }`
	`98`	`+ }`
`91`	`99`
`92`	`100`	`return []corev1.Container{container}`
`93`	`101`	`}`