Add seccompProfile

deploy/eck-operator/values.yaml

@@ -68,6 +68,9 @@ securityContext:
       - ALL
   readOnlyRootFilesystem: true
   runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+
 
 # nodeSelector defines the node selector for the operator pod.
 nodeSelector: {}

pkg/controller/elasticsearch/securitycontext/securitycontext.go

@@ -28,6 +28,9 @@ func For(ver version.Version, enableReadOnlyRootFilesystem bool) corev1.Security
 		Privileged:               ptr.To[bool](false),
 		ReadOnlyRootFilesystem:   ptr.To[bool](enableReadOnlyRootFilesystem),
 		AllowPrivilegeEscalation: ptr.To[bool](false),
+		SeccompProfile:           &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
 	}
 	if ver.LT(DropCapabilitiesMinStackVersion) {
 		return sc
@@ -50,6 +53,9 @@ func DefaultBeatSecurityContext(ver version.Version) *corev1.SecurityContext {
 		Privileged:               ptr.To[bool](false),
 		ReadOnlyRootFilesystem:   ptr.To[bool](true),
 		AllowPrivilegeEscalation: ptr.To[bool](false),
+		SeccompProfile:           &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
 	}
 	if ver.LT(RunAsNonRootMinStackVersion) {
 		return sc

pkg/controller/elasticsearch/securitycontext/securitycontext_test.go

@@ -36,6 +36,9 @@ func TestFor(t *testing.T) {
 				Privileged:               ptr.To[bool](false),
 				ReadOnlyRootFilesystem:   ptr.To[bool](false),
 				AllowPrivilegeEscalation: ptr.To[bool](false),
+                                SeccompProfile:           &corev1.SeccompProfile{
+                                        Type: corev1.SeccompProfileTypeRuntimeDefault,
+                                },
 			},
 		},
 		{
@@ -49,6 +52,9 @@ func TestFor(t *testing.T) {
 				Privileged:               ptr.To[bool](false),
 				ReadOnlyRootFilesystem:   ptr.To[bool](false),
 				AllowPrivilegeEscalation: ptr.To[bool](false),
+                                SeccompProfile:           &corev1.SeccompProfile{
+                                        Type: corev1.SeccompProfileTypeRuntimeDefault,
+                                },
 			},
 		},
 		{
@@ -62,6 +68,9 @@ func TestFor(t *testing.T) {
 				Privileged:               ptr.To[bool](false),
 				ReadOnlyRootFilesystem:   ptr.To[bool](true),
 				AllowPrivilegeEscalation: ptr.To[bool](false),
+                                SeccompProfile:           &corev1.SeccompProfile{
+                                        Type: corev1.SeccompProfileTypeRuntimeDefault,
+                                },
 			},
 		},
 	}
@@ -90,6 +99,9 @@ func TestDefaultBeatSecurityContext(t *testing.T) {
 				Privileged:               ptr.To[bool](false),
 				ReadOnlyRootFilesystem:   ptr.To[bool](true),
 				AllowPrivilegeEscalation: ptr.To[bool](false),
+                                SeccompProfile:           &corev1.SeccompProfile{
+                                        Type: corev1.SeccompProfileTypeRuntimeDefault,
+                                },
 			},
 		},
 		{
@@ -103,6 +115,9 @@ func TestDefaultBeatSecurityContext(t *testing.T) {
 				ReadOnlyRootFilesystem:   ptr.To[bool](true),
 				RunAsNonRoot:             ptr.To[bool](true),
 				AllowPrivilegeEscalation: ptr.To[bool](false),
+                                SeccompProfile:           &corev1.SeccompProfile{
+                                        Type: corev1.SeccompProfileTypeRuntimeDefault,
+                                },
 			},
 		},
 	}