From d205a581b110616ef86cabf0bb3cc70724a398cc Mon Sep 17 00:00:00 2001
From: Oleg Bulatov <oleg@bulatov.me>
Date: Tue, 23 Aug 2022 16:55:02 +0200
Subject: [PATCH] Fix security context for test pods

---
 pkg/testframework/registry.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pkg/testframework/registry.go b/pkg/testframework/registry.go
index ee4325ae5..6b9bb6954 100644
--- a/pkg/testframework/registry.go
+++ b/pkg/testframework/registry.go
@@ -294,6 +294,9 @@ func CreateEphemeralRegistry(t *testing.T, restConfig *rest.Config, namespace st
 		)
 	}
 
+	falseVal := false
+	trueVal := true
+
 	pod := &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: name,
@@ -336,6 +339,16 @@ func CreateEphemeralRegistry(t *testing.T, restConfig *rest.Config, namespace st
 						},
 					},
 					TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
+					SecurityContext: &corev1.SecurityContext{
+						AllowPrivilegeEscalation: &falseVal,
+						Capabilities: &corev1.Capabilities{
+							Drop: []corev1.Capability{"ALL"},
+						},
+						RunAsNonRoot: &trueVal,
+						SeccompProfile: &corev1.SeccompProfile{
+							Type: corev1.SeccompProfileTypeRuntimeDefault,
+						},
+					},
 				},
 			},
 			Volumes: volumes,