Fixed security context

metalbear-co · Feb 5, 2024 · 7834168 · 7834168
1 parent 514f084
commit 7834168
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/changelog.d/+ephemeral-spec.fixed.md b/changelog.d/+ephemeral-spec.fixed.md
@@ -0,0 +1 @@
+Added `runAsNonRoot: false` and `runAsUser: 0` to the security context of an epheremal agent when running privileged (to prevent overriding these values with values from the pod spec).
diff --git a/mirrord/kube/src/api/container/ephemeral.rs b/mirrord/kube/src/api/container/ephemeral.rs
@@ -208,6 +208,8 @@ impl ContainerVariant for EphemeralTargetedVariant<'_> {
                     "add": get_capabilities(agent),
                 },
                 "privileged": agent.privileged,
+                "runAsNonRoot": agent.privileged.then_some(false),
+                "runAsUser": agent.privileged.then_some(0),
             },
             "imagePullPolicy": agent.image_pull_policy,
             "targetContainerName": runtime_data.container_name,