Set RuntimeDefault as default seccompProfile in securityContext

Signed-off-by: torredil <[email protected]>

charts/aws-ebs-csi-driver/values.yaml

@@ -37,6 +37,8 @@ sidecars:
       # renewDeadline: "10s"
       # retryPeriod: "5s"
     securityContext:
+      seccompProfile:
+        type: RuntimeDefault
       readOnlyRootFilesystem: true
       allowPrivilegeEscalation: false
   attacher:
@@ -62,6 +64,8 @@ sidecars:
     additionalClusterRoleRules: []
     resources: {}
     securityContext:
+      seccompProfile:
+        type: RuntimeDefault
       readOnlyRootFilesystem: true
       allowPrivilegeEscalation: false
   snapshotter:
@@ -79,6 +83,8 @@ sidecars:
     additionalClusterRoleRules: []
     resources: {}
     securityContext:
+      seccompProfile:
+        type: RuntimeDefault
       readOnlyRootFilesystem: true
       allowPrivilegeEscalation: false
   livenessProbe:
@@ -90,6 +96,8 @@ sidecars:
     additionalArgs: []
     resources: {}
     securityContext:
+      seccompProfile:
+        type: RuntimeDefault
       readOnlyRootFilesystem: true
       allowPrivilegeEscalation: false
   resizer:
@@ -115,6 +123,8 @@ sidecars:
     additionalClusterRoleRules: []
     resources: {}
     securityContext:
+      seccompProfile:
+        type: RuntimeDefault
       readOnlyRootFilesystem: true
       allowPrivilegeEscalation: false
   nodeDriverRegistrar:
@@ -128,6 +138,8 @@ sidecars:
     additionalArgs: []
     resources: {}
     securityContext:
+      seccompProfile:
+        type: RuntimeDefault
       readOnlyRootFilesystem: true
       allowPrivilegeEscalation: false
     livenessProbe:
@@ -158,6 +170,8 @@ sidecars:
     additionalArgs: []
     resources: {}
     securityContext:
+      seccompProfile:
+        type: RuntimeDefault
       readOnlyRootFilesystem: true
       allowPrivilegeEscalation: false
 
@@ -311,6 +325,8 @@ controller:
   # ---
   # securityContext on the controller container (see sidecars for securityContext on sidecar containers)
   containerSecurityContext:
+    seccompProfile:
+      type: RuntimeDefault
     readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
   initContainers: []
@@ -417,6 +433,7 @@ node:
   #   mountPath: /mount/path
   # ---
   # securityContext on the node container (see sidecars for securityContext on sidecar containers)
+  # Privileged containers always run as `Unconfined`, which means that they are not restricted by a seccomp profile.
   containerSecurityContext:
     readOnlyRootFilesystem: true
     privileged: true

deploy/kubernetes/base/controller.yaml

@@ -128,6 +128,8 @@ spec:
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
         - name: csi-provisioner
           image: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner:v4.0.1-eks-1-30-4
           imagePullPolicy: IfNotPresent
@@ -157,6 +159,8 @@ spec:
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
         - name: csi-attacher
           image: public.ecr.aws/eks-distro/kubernetes-csi/external-attacher:v4.5.1-eks-1-30-4
           imagePullPolicy: IfNotPresent
@@ -183,6 +187,8 @@ spec:
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
         - name: csi-snapshotter
           image: public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter:v7.0.2-eks-1-30-4
           imagePullPolicy: IfNotPresent
@@ -208,6 +214,8 @@ spec:
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
         - name: csi-resizer
           image: public.ecr.aws/eks-distro/kubernetes-csi/external-resizer:v1.10.1-eks-1-30-4
           imagePullPolicy: IfNotPresent
@@ -235,6 +243,8 @@ spec:
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
         - name: liveness-probe
           image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.12.0-eks-1-30-4
           imagePullPolicy: IfNotPresent
@@ -252,6 +262,8 @@ spec:
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
       volumes:
         - name: socket-dir
           emptyDir: {}

deploy/kubernetes/base/node.yaml

@@ -138,6 +138,8 @@ spec:
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
         - name: liveness-probe
           image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.12.0-eks-1-30-4
           imagePullPolicy: IfNotPresent
@@ -155,6 +157,8 @@ spec:
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
       volumes:
         - name: kubelet-dir
           hostPath: