adjust security context for serverless workloads (#2457)

anoipm · web-flow · commit 05979d1c5c48 · 2026-04-13T18:00:23.000Z
diff --git a/components/buildless-serverless/internal/controller/resources/deployment.go b/components/buildless-serverless/internal/controller/resources/deployment.go
@@ -487,7 +487,6 @@ func containerSecurityContext(f *serverlessv1alpha2.Function) *corev1.SecurityCo
 				"ALL",
 			},
 		},
-		ProcMount:                ptr.To(corev1.DefaultProcMount),
 		ReadOnlyRootFilesystem:   ptr.To(true),
 		AllowPrivilegeEscalation: ptr.To(false),
 		RunAsNonRoot:             ptr.To(true),
diff --git a/components/buildless-serverless/internal/controller/resources/deployment_test.go b/components/buildless-serverless/internal/controller/resources/deployment_test.go
@@ -1881,7 +1881,6 @@ func Test_containerSecurityContext(t *testing.T) {
 						"ALL",
 					},
 				},
-				ProcMount:                ptr.To(corev1.DefaultProcMount),
 				ReadOnlyRootFilesystem:   ptr.To(true),
 				AllowPrivilegeEscalation: ptr.To(false),
 				RunAsNonRoot:             ptr.To(true),
@@ -1901,7 +1900,6 @@ func Test_containerSecurityContext(t *testing.T) {
 						"ALL",
 					},
 				},
-				ProcMount:                ptr.To(corev1.DefaultProcMount),
 				ReadOnlyRootFilesystem:   ptr.To(true),
 				AllowPrivilegeEscalation: ptr.To(false),
 				RunAsNonRoot:             ptr.To(true),
@@ -1930,7 +1928,6 @@ func Test_containerSecurityContext(t *testing.T) {
 						"SYS_TIME",
 					},
 				},
-				ProcMount:                ptr.To(corev1.DefaultProcMount),
 				ReadOnlyRootFilesystem:   ptr.To(false),
 				AllowPrivilegeEscalation: ptr.To(true),
 				RunAsNonRoot:             ptr.To(true),
diff --git a/components/buildless-serverless/internal/endpoint/runtime/resources_test.go b/components/buildless-serverless/internal/endpoint/runtime/resources_test.go
@@ -162,7 +162,6 @@ spec:
             drop:
             - ALL
           privileged: false
-          procMount: Default
           readOnlyRootFilesystem: true
           runAsNonRoot: true
         startupProbe:
diff --git a/config/buildless-serverless/templates/deployment.yaml b/config/buildless-serverless/templates/deployment.yaml
@@ -74,6 +74,7 @@ spec:
               memory: 64Mi
           securityContext:
             allowPrivilegeEscalation: false
+            runAsNonRoot: true
             capabilities:
               drop:
                 - ALL
diff --git a/config/operator/base/deployment/deployment.yaml b/config/operator/base/deployment/deployment.yaml
@@ -78,6 +78,7 @@ spec:
               value: europe-docker.pkg.dev/kyma-project/prod/function-buildless-init:main
           securityContext:
             allowPrivilegeEscalation: false
+            runAsNonRoot: true
             capabilities:
               drop:
                 - "ALL"
diff --git a/docs/user/resources/06-10-function-cr.md b/docs/user/resources/06-10-function-cr.md
@@ -72,7 +72,6 @@ spec:
       drop:
       - ALL
     privileged: false
-    procMount: Default
     readOnlyRootFilesystem: true
     runAsNonRoot: true
   functionResourceProfile: XS
