Fix pss restricted warnings (kserve#4327)

akagami-harsh · sivanantha321 · web-flow · commit cee2c1d15e7d · 2025-06-07T00:45:12.000+05:30
Signed-off-by: Harshvir Potpose &lt;hpotpose62@gmail.com&gt;
Co-authored-by: Sivanantham &lt;90966311+sivanantha321@users.noreply.github.com&gt;
diff --git a/charts/kserve-resources/README.md b/charts/kserve-resources/README.md
@@ -57,7 +57,7 @@ $ helm install kserve oci://ghcr.io/kserve/charts/kserve --version v0.15.2
 | kserve.controller.rbacProxy.securityContext.runAsNonRoot | bool | `true` |  |
 | kserve.controller.rbacProxyImage | string | `"quay.io/brancz/kube-rbac-proxy:v0.18.0"` | KServe controller manager rbac proxy contrainer image |
 | kserve.controller.resources | object | `{"limits":{"cpu":"100m","memory":"300Mi"},"requests":{"cpu":"100m","memory":"300Mi"}}` | Resources to provide to the kserve controller pod.  For example:  requests:    cpu: 10m    memory: 32Mi  For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). |
-| kserve.controller.securityContext | object | `{"runAsNonRoot":true}` | Pod Security Context. For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). |
+| kserve.controller.securityContext | object | `{"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Pod Security Context. For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). |
 | kserve.controller.serviceAnnotations | object | `{}` | Optional additional annotations to add to the controller service. |
 | kserve.controller.tag | string | `"v0.15.2"` | KServe controller contrainer image tag. |
 | kserve.controller.tolerations | list | `[]` | A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).  For example:   tolerations:   - key: foo.bar.com/role     operator: Equal     value: master     effect: NoSchedule |
diff --git a/charts/kserve-resources/templates/localmodel/deployment.yaml b/charts/kserve-resources/templates/localmodel/deployment.yaml
@@ -26,6 +26,8 @@ spec:
       serviceAccountName: kserve-localmodel-controller-manager
       securityContext:
         runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - command:
         - /manager
diff --git a/charts/kserve-resources/values.yaml b/charts/kserve-resources/values.yaml
@@ -129,6 +129,8 @@ kserve:
     # For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
     securityContext:
       runAsNonRoot: true
+      seccompProfile:
+          type: RuntimeDefault
 
     # -- Container Security Context to be set on the controller component container.
     # For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
diff --git a/config/localmodelnodes/manager.yaml b/config/localmodelnodes/manager.yaml
@@ -26,6 +26,8 @@ spec:
       serviceAccountName: kserve-localmodelnode-agent
       securityContext:
         runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - command:
         - /manager
diff --git a/config/localmodels/manager.yaml b/config/localmodels/manager.yaml
@@ -24,6 +24,8 @@ spec:
       serviceAccountName: kserve-localmodel-controller-manager
       securityContext:
         runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - command:
         - /manager
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -24,6 +24,8 @@ spec:
       serviceAccountName: kserve-controller-manager
       securityContext:
         runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - command:
         - /manager
