Allow setting seccompProfile and drop all capabilities for control plane services (#6505)

Fixes #6233
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Co-authored-by: NDapr Bot <56698301+dapr-bot@users.noreply.github.com>

charts/dapr/README.md

@@ -98,7 +98,8 @@ The Helm chart has the follow configuration options that can be supplied:
 | `global.issuerFilenames.ca`               | Custom name of the file containing the root CA certificate inside the container    | `ca.crt`     |
 | `global.issuerFilenames.cert`             | Custom name of the file containing the leaf certificate inside the container       | `issuer.crt` |
 | `global.issuerFilenames.key`              | Custom name of the file containing the leaf certificate's key inside the container | `issuer.key` |
-| `global.actors.enabled`                   | Enables the Dapr actors building block. When "false", the Dapr Placement serice is not installed, and attempting to use Dapr actors will fail. | `true`                  |
+| `global.actors.enabled`                   | Enables the Dapr actors building block. When "false", the Dapr Placement serice is not installed, and attempting to use Dapr actors will fail. | `true` |
+| `global.seccompProfile` | SeccompProfile for Dapr control plane services | `""` |
 | `global.rbac.namespaced`                  | Removes cluster wide permissions where applicable  | `false` |
 | `global.argoRolloutServiceReconciler.enabled` | Enable the service reconciler for Dapr-enabled Argo Rollouts         | `false` |
 

charts/dapr/charts/dapr_operator/templates/dapr_operator_deployment.yaml

@@ -110,11 +110,17 @@ spec:
 {{- if eq .Values.global.daprControlPlaneOs "linux" }}
         securityContext:
           runAsNonRoot: {{ .Values.runAsNonRoot }}
-{{- if eq .Values.debug.enabled true }}
+  {{- if eq .Values.debug.enabled true }}
           capabilities:
-            add:
-            - SYS_PTRACE
-{{- end }}
+            add: ["SYS_PTRACE"]
+  {{- else }}
+          capabilities:
+            drop: ["ALL"]
+  {{- end }}
+  {{- if .Values.global.seccompProfile }}
+          seccompProfile:
+            type: {{ .Values.global.seccompProfile }}
+  {{- end }}
 {{- end }}
         env:
         - name: NAMESPACE

charts/dapr/charts/dapr_placement/templates/dapr_placement_statefulset.yaml

@@ -154,11 +154,17 @@ spec:
 {{- else }}
           runAsUser: 0
 {{- end }}
-{{- if eq .Values.debug.enabled true }}
+  {{- if eq .Values.debug.enabled true }}
           capabilities:
-            add:
-              - SYS_PTRACE
-{{- end }}
+            add: ["SYS_PTRACE"]
+  {{- else }}
+          capabilities:
+            drop: ["ALL"]
+  {{- end }}
+  {{- if .Values.global.seccompProfile }}
+          seccompProfile:
+            type: {{ .Values.global.seccompProfile }}
+  {{- end }}
 {{- end }}
         env:
           - name: PLACEMENT_ID

charts/dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml

@@ -92,8 +92,14 @@ spec:
           runAsNonRoot: {{ .Values.runAsNonRoot }}
   {{- if eq .Values.debug.enabled true }}
           capabilities:
-            add:
-              - SYS_PTRACE
+            add: ["SYS_PTRACE"]
+  {{- else }}
+          capabilities:
+            drop: ["ALL"]
+  {{- end }}
+  {{- if .Values.global.seccompProfile }}
+          seccompProfile:
+            type: {{ .Values.global.seccompProfile }}
   {{- end }}
 {{- end }}
         env:

charts/dapr/charts/dapr_sidecar_injector/templates/dapr_sidecar_injector_deployment.yaml

@@ -78,8 +78,14 @@ spec:
   {{- end }}
   {{- if eq .Values.debug.enabled true }}
           capabilities:
-            add:
-              - SYS_PTRACE
+            add: ["SYS_PTRACE"]
+  {{- else }}
+          capabilities:
+            drop: ["ALL"]
+  {{- end }}
+  {{- if .Values.global.seccompProfile }}
+          seccompProfile:
+            type: {{ .Values.global.seccompProfile }}
   {{- end }}
 {{- end }}
         command:

charts/dapr/values.yaml

@@ -26,6 +26,7 @@ global:
     enabled: true
   daprControlPlaneOs: linux
   labels: {}
+  seccompProfile: ""
   k8sLabels:
     app.kubernetes.io/name: "{{ .Release.Name }}"
     app.kubernetes.io/version: "{{ .Values.global.tag }}"