From 25a4627a65c3a8b4a4db93a45cb3d190101db52f Mon Sep 17 00:00:00 2001
From: Abbas Soltanian <abbas.soltanian@usmobile.com>
Date: Wed, 11 Mar 2026 10:27:45 -0400
Subject: [PATCH] feat: add seccompProfile RuntimeDefault and drop ALL
 capabilities

Add seccompProfile: type: RuntimeDefault to both pod-level and container-level
security contexts. This satisfies Kubernetes Pod Security Standards "restricted"
profile and follows CIS Kubernetes Benchmark recommendations.

Also upgrade capabilities.drop from NET_RAW to ALL, which is required by the
restricted PSS profile and is best practice for least-privilege containers.
---
 config/manager/manager.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index c25c21f..9db835a 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -24,6 +24,8 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - command:
         - /manager
@@ -37,7 +39,9 @@ spec:
           runAsNonRoot: true
           capabilities:
             drop:
-              - NET_RAW
+              - ALL
+          seccompProfile:
+            type: RuntimeDefault
         livenessProbe:
           httpGet:
             path: /healthz