Valters Jansons

As part of the linked PR, it was identified that the underlying process does not drop NET_BIND_SERVICE once that capability is effective. Therefore, on existing approach even if privilege escalation...

> This must also be set in the security context to comply: > > ```yaml > seccompProfile: > type: RuntimeDefault > ``` @blurpy, would you mind opening a Pull Request...

> I would have liked to, but I can't prioritize it right now. I would be happy if anyone else has the time to fix it in the mean time....

@blurpy, the edge version (latest `main`) of the chart restricts syscalls based on runtime defaults. Could you please check if there are any other low hanging fruit that the scan...

> What I found out is that running with UID 101 is now what is stopping using the restricted policy @hafe, where are you seeing UID 101 being an issue?...

Understood, it's about OpenShift's `restricted-v2` [security context constraint](https://docs.openshift.com/container-platform/4.12/authentication/managing-security-context-constraints.html#default-sccs_configuring-internal-oauth) (`restricted` for OpenShift v4.10 and older). _The restricted SCC: [..] Requires that a pod is run as a user in a pre-allocated...

I am taking a closer look and [`PodSecurityContext` (v1)](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podsecuritycontext-v1-core) says `runAsUser` defaults to user specified in image metadata if unspecified. OpenShift's [Example security context constraints section](https://docs.openshift.com/container-platform/4.12/authentication/managing-security-context-constraints.html#security-context-constraints-example_configuring-internal-oauth) discusses when no explicit...

@blurpy, just to double check, as there are competing request scopes: Kubernetes restricted with latest release, or OpenShift modifying 'run as user'?

@hafe, are you on OpenShift 4.11+? Or are you running on the 4.10 Maintenance Support? I am asking as I want to hear if you have the `restricted-v2` SCC available.

My test was very basic local run. Just deployed a fresh OpenShift cluster (v4.15.0) in AWS, and then essentially ```bash kubectl apply -f resources/scc.yaml make install make run # for...