From 4dbd3ab79b4b71e7ebbb2516afbef5c247bd7f9f Mon Sep 17 00:00:00 2001 From: nreisingercres <141150843+nreisingercres@users.noreply.github.com> Date: Fri, 25 Jul 2025 22:06:06 -0500 Subject: [PATCH 1/4] Add default SeccompProfile --- .../elasticsearch/securitycontext/securitycontext.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/controller/elasticsearch/securitycontext/securitycontext.go b/pkg/controller/elasticsearch/securitycontext/securitycontext.go index af90548cd7d..d5c844e6f5b 100644 --- a/pkg/controller/elasticsearch/securitycontext/securitycontext.go +++ b/pkg/controller/elasticsearch/securitycontext/securitycontext.go @@ -28,6 +28,9 @@ func For(ver version.Version, enableReadOnlyRootFilesystem bool) corev1.Security Privileged: ptr.To[bool](false), ReadOnlyRootFilesystem: ptr.To[bool](enableReadOnlyRootFilesystem), AllowPrivilegeEscalation: ptr.To[bool](false), + SeccompProfile: corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault + }, } if ver.LT(DropCapabilitiesMinStackVersion) { return sc From 854e7613179fb1ee94de8a13a38c3dcab309a1f0 Mon Sep 17 00:00:00 2001 From: Nick Reisinger Date: Sat, 26 Jul 2025 04:38:53 +0000 Subject: [PATCH 2/4] Add missing , --- .../elasticsearch/securitycontext/securitycontext.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/controller/elasticsearch/securitycontext/securitycontext.go b/pkg/controller/elasticsearch/securitycontext/securitycontext.go index d5c844e6f5b..bc4f33a7589 100644 --- a/pkg/controller/elasticsearch/securitycontext/securitycontext.go +++ b/pkg/controller/elasticsearch/securitycontext/securitycontext.go @@ -28,8 +28,8 @@ func For(ver version.Version, enableReadOnlyRootFilesystem bool) corev1.Security Privileged: ptr.To[bool](false), ReadOnlyRootFilesystem: ptr.To[bool](enableReadOnlyRootFilesystem), AllowPrivilegeEscalation: ptr.To[bool](false), - SeccompProfile: corev1.SeccompProfile{ - Type: corev1.SeccompProfileTypeRuntimeDefault + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, }, } if ver.LT(DropCapabilitiesMinStackVersion) { From 013339e943216ee79ed36a3deee3009007feb7d1 Mon Sep 17 00:00:00 2001 From: Nick Reisinger Date: Sat, 26 Jul 2025 14:54:07 +0000 Subject: [PATCH 3/4] Add tests --- .../securitycontext/securitycontext.go | 5 ++++- .../securitycontext/securitycontext_test.go | 15 +++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/pkg/controller/elasticsearch/securitycontext/securitycontext.go b/pkg/controller/elasticsearch/securitycontext/securitycontext.go index bc4f33a7589..d583855d6ce 100644 --- a/pkg/controller/elasticsearch/securitycontext/securitycontext.go +++ b/pkg/controller/elasticsearch/securitycontext/securitycontext.go @@ -28,7 +28,7 @@ func For(ver version.Version, enableReadOnlyRootFilesystem bool) corev1.Security Privileged: ptr.To[bool](false), ReadOnlyRootFilesystem: ptr.To[bool](enableReadOnlyRootFilesystem), AllowPrivilegeEscalation: ptr.To[bool](false), - SeccompProfile: &corev1.SeccompProfile{ + SeccompProfile: &corev1.SeccompProfile{ Type: corev1.SeccompProfileTypeRuntimeDefault, }, } @@ -53,6 +53,9 @@ func DefaultBeatSecurityContext(ver version.Version) *corev1.SecurityContext { Privileged: ptr.To[bool](false), ReadOnlyRootFilesystem: ptr.To[bool](true), AllowPrivilegeEscalation: ptr.To[bool](false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, } if ver.LT(RunAsNonRootMinStackVersion) { return sc diff --git a/pkg/controller/elasticsearch/securitycontext/securitycontext_test.go b/pkg/controller/elasticsearch/securitycontext/securitycontext_test.go index 1c4b82a7aff..a950513284c 100644 --- a/pkg/controller/elasticsearch/securitycontext/securitycontext_test.go +++ b/pkg/controller/elasticsearch/securitycontext/securitycontext_test.go @@ -36,6 +36,9 @@ func TestFor(t *testing.T) { Privileged: ptr.To[bool](false), ReadOnlyRootFilesystem: ptr.To[bool](false), AllowPrivilegeEscalation: ptr.To[bool](false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, }, }, { @@ -49,6 +52,9 @@ func TestFor(t *testing.T) { Privileged: ptr.To[bool](false), ReadOnlyRootFilesystem: ptr.To[bool](false), AllowPrivilegeEscalation: ptr.To[bool](false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, }, }, { @@ -62,6 +68,9 @@ func TestFor(t *testing.T) { Privileged: ptr.To[bool](false), ReadOnlyRootFilesystem: ptr.To[bool](true), AllowPrivilegeEscalation: ptr.To[bool](false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, }, }, } @@ -90,6 +99,9 @@ func TestDefaultBeatSecurityContext(t *testing.T) { Privileged: ptr.To[bool](false), ReadOnlyRootFilesystem: ptr.To[bool](true), AllowPrivilegeEscalation: ptr.To[bool](false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, }, }, { @@ -103,6 +115,9 @@ func TestDefaultBeatSecurityContext(t *testing.T) { ReadOnlyRootFilesystem: ptr.To[bool](true), RunAsNonRoot: ptr.To[bool](true), AllowPrivilegeEscalation: ptr.To[bool](false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, }, }, } From 7a5c6a3ff5272d21b187518d99cea81f609f2596 Mon Sep 17 00:00:00 2001 From: Nick Reisinger Date: Sat, 26 Jul 2025 14:56:36 +0000 Subject: [PATCH 4/4] Add seccompProfile to the operator default values --- deploy/eck-operator/values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deploy/eck-operator/values.yaml b/deploy/eck-operator/values.yaml index 431b8faa648..c29813c149e 100644 --- a/deploy/eck-operator/values.yaml +++ b/deploy/eck-operator/values.yaml @@ -68,6 +68,9 @@ securityContext: - ALL readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + # nodeSelector defines the node selector for the operator pod. nodeSelector: {}