Run Calico containers as unprivileged

These changes aim to remove blanket privileges from Calico and replace them with the default pod privileges granted by Docker plus the few extended privileges that Calico needs Change-Id: I1342ef02086877bc69f752403a33278c9670ed86
2019-02-27 18:53:33 +00:00 · 2019-02-27 18:53:33 +00:00 · 200b5e902b
commit 200b5e902b
parent 85c204fee8
1 changed files with 4 additions and 1 deletions
--- a/calico/templates/daemonset-calico-node.yaml
+++ b/calico/templates/daemonset-calico-node.yaml
@ -343,7 +343,10 @@ spec:
                  fieldPath: spec.nodeName

          securityContext:
-            privileged: true
+            capabilities:
+              add:
+                - 'NET_ADMIN'
+                - 'SYS_ADMIN'
          resources:
            requests:
              cpu: 250m