fix(#130): add SecurityContext to createInitContainerPatch (#131)

toms-place · web-flow · commit 4fddca26efdf · 2025-02-27T07:42:14.000+01:00
* feat: add SecurityContext to createInitContainerPatch

* Update NOTICE.txt
diff --git a/NOTICE.txt b/NOTICE.txt
@@ -1,4 +1,4 @@
-Copyright 2024 Elasticsearch BV
+Copyright 2025 Elasticsearch BV
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
diff --git a/patch.go b/patch.go
@@ -187,13 +187,20 @@ func createVolumePatch(createArray bool) patchOperation {
 func createInitContainerPatch(config agentConfig, createArray bool) (patchOperation, error) {
 	bp := filepath.Base(config.Image)
 	name := strings.Split(bp, ":")
+	allowPrivilegeEscalation := false
 	agentInitContainer := corev1.Container{
 		Name:         name[0],
 		Image:        config.Image,
 		VolumeMounts: []corev1.VolumeMount{volumeMounts},
 		// TODO: should this be a default, and then users can modify it
 		// *if needed*?
 		Command: []string{"cp", "-v", "-r", config.ArtifactPath, mountPath},
+		SecurityContext: &corev1.SecurityContext{
+			AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
+		},
 	}
 
 	if errs := validation.IsDNS1123Label(agentInitContainer.Name); len(errs) != 0 {

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-Copyright 2024 Elasticsearch BV`
	`1`	`+Copyright 2025 Elasticsearch BV`
`2`	`2`
`3`	`3`	`Licensed under the Apache License, Version 2.0 (the "License");`
`4`	`4`	`you may not use this file except in compliance with the License.`