From 4cefcf5e9855bbde4c35f91b5e1c9c16e3f6bf3a Mon Sep 17 00:00:00 2001 From: Lukas Piwowarski Date: Tue, 30 Jun 2026 12:10:47 +0200 Subject: [PATCH] Set seccompProfile to RuntimeDefault on operator pods Uncomment and apply the seccompProfile field in manager.yaml and the CSV so that operator pods always run under the RuntimeDefault seccomp profile (make it explicit). --- ...nstack-lightspeed-operator.clusterserviceversion.yaml | 2 ++ config/manager/manager.yaml | 9 ++------- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/bundle/manifests/openstack-lightspeed-operator.clusterserviceversion.yaml b/bundle/manifests/openstack-lightspeed-operator.clusterserviceversion.yaml index 47a123de..640882ca 100644 --- a/bundle/manifests/openstack-lightspeed-operator.clusterserviceversion.yaml +++ b/bundle/manifests/openstack-lightspeed-operator.clusterserviceversion.yaml @@ -244,6 +244,8 @@ spec: - ALL securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: openstack-lightspeed-operator-controller-manager terminationGracePeriodSeconds: 10 permissions: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 788d464a..1974cea8 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -50,13 +50,8 @@ spec: # - linux securityContext: runAsNonRoot: true - # TODO(user): For common cases that do not require escalating privileges - # it is recommended to ensure that all your Pods/Containers are restrictive. - # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - # Please uncomment the following code if your project does NOT have to work on old Kubernetes - # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). - # seccompProfile: - # type: RuntimeDefault + seccompProfile: + type: RuntimeDefault containers: - command: - /manager