ci: Update CNS daemonset capabilities within E2E (#2902)

ci: update CNS caps
Azure · Aug 9, 2024 · 032890a · 032890a
1 parent fcb10fb
commit 032890a
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/test/integration/manifests/cns/daemonset-linux.yaml b/test/integration/manifests/cns/daemonset-linux.yaml
@@ -46,8 +46,11 @@ spec:
           args: [ "-c", "tcp://$(CNSIpAddress):$(CNSPort)", "-t", "$(CNSLogTarget)"]
           securityContext:
             capabilities:
+              drop:
+                - ALL
               add:
-                - NET_ADMIN
+                - NET_ADMIN # only necessary for delegated IPAM/Cilium
+                - NET_RAW # only necessary for delegated IPAM/Cilium
           volumeMounts:
             - name: log
               mountPath: /var/log
@@ -89,8 +92,8 @@ spec:
           command: ["sleep", "3600"]
           securityContext:
             capabilities:
-              add:
-                - NET_ADMIN
+              drop:
+                - ALL
           volumeMounts:
             - name: log
               mountPath: /var/log

diff --git a/test/integration/manifests/cns/daemonset-windows.yaml b/test/integration/manifests/cns/daemonset-windows.yaml
@@ -123,6 +123,10 @@ spec:
           volumeMounts:
             - name: cni-bin
               mountPath: /k/azurecni/bin/ # TODO: add cni conflist when ready
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
       hostNetwork: true
       volumes:
         - name: log