feat: Make SR-IOV Network Operator working in STIG-Enabled Kubernetes Cluster

e0ne · e0ne · commit 67c6f3b4b467 · 2025-10-03T16:50:03.000+03:00
Signed-off-by: Ivan Kolodiazhnyi &lt;ikolodiazhny@nvidia.com&gt;
diff --git a/deployment/sriov-network-operator-chart/templates/operator.yaml b/deployment/sriov-network-operator-chart/templates/operator.yaml
@@ -47,6 +47,14 @@ spec:
             requests:
               cpu: 100m
               memory: 100Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: WATCH_NAMESPACE
               valueFrom:
diff --git a/deployment/sriov-network-operator-chart/templates/pre-delete-webooks.yaml b/deployment/sriov-network-operator-chart/templates/pre-delete-webooks.yaml
@@ -23,6 +23,14 @@ spec:
       containers:
         - name: cleanup
           image: {{ .Values.images.operator }}
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
           command:
             - sriov-network-operator-config-cleanup
           args:
