From 2e1d89a5df0898d54487e9774f05a542554d163d Mon Sep 17 00:00:00 2001
From: Anish Ramasekar <anish.ramasekar@gmail.com>
Date: Wed, 12 Apr 2023 11:22:35 -0700
Subject: [PATCH] feat: set security capabilities for azwi-proxy (#829)

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
---
 pkg/webhook/webhook.go      | 9 +++++++++
 pkg/webhook/webhook_test.go | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go
index 8e46effdf..23f65b272 100644
--- a/pkg/webhook/webhook.go
+++ b/pkg/webhook/webhook.go
@@ -251,6 +251,15 @@ func (m *podMutator) injectProxySidecarContainer(containers []corev1.Container,
 				},
 			},
 		},
+		SecurityContext: &corev1.SecurityContext{
+			AllowPrivilegeEscalation: pointer.Bool(false),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
+			Privileged:             pointer.Bool(false),
+			ReadOnlyRootFilesystem: pointer.Bool(true),
+			RunAsNonRoot:           pointer.Bool(true),
+		},
 	})
 
 	return containers
diff --git a/pkg/webhook/webhook_test.go b/pkg/webhook/webhook_test.go
index a763adae6..e61afa036 100644
--- a/pkg/webhook/webhook_test.go
+++ b/pkg/webhook/webhook_test.go
@@ -1092,6 +1092,15 @@ func TestInjectProxySidecarContainer(t *testing.T) {
 				},
 			},
 		},
+		SecurityContext: &corev1.SecurityContext{
+			AllowPrivilegeEscalation: pointer.Bool(false),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
+			Privileged:             pointer.Bool(false),
+			ReadOnlyRootFilesystem: pointer.Bool(true),
+			RunAsNonRoot:           pointer.Bool(true),
+		},
 	}
 
 	tests := []struct {