chore: Security fixes (#614)

charts/virtual-kubelet/README.md

@@ -60,10 +60,10 @@ The following table lists the configurable parameters of the azure-aci chart and
 | image.repository                               | Image repository.                                                                                                     | `mcr.microsoft.com`                   |
 | image.name                                     | Image name.                                                                                                           | `oss/virtual-kubelet/virtual-kubelet` |
 | image.tag                                      | Image release version/tag.                                                                                            | `latest`                              |
-| image.pullPolicy                               | Image pull policy.                                                                                                    | `Always`                              | 
+| image.pullPolicy                               | Image pull policy.                                                                                                    | `IfNotPresent`                              | 
 | initImage.name                                 | Init container image name.                                                                                            | `oss/virtual-kubelet/init-validation` |
 | initImage.initTag                              | Init container image release version/tag.                                                                             | `0.2.0`                               |
-| initImage.pullPolicy                           | Init container image pull policy.                                                                                     | `Always`                              |
+| initImage.pullPolicy                           | Init container image pull policy.                                                                                     | `IfNotPresent`                              |
 | nodeName                                       | The node name that will be assigned to be the VK one.                                                                 | `virtual-node-aci-linux-helm`         |
 | nodeOsType                                     | The node/VM type. Values should be `Windows` or `Linux`.                                                              | `Linux`                               |
 | monitoredNamespace                             | Kubernetes namespace. default values means monitor `all`                                                              | `""`                                  |

charts/virtual-kubelet/templates/deployment.yaml

@@ -21,6 +21,10 @@ spec:
         - name: init-validation
           image: "{{ .Values.initImage.repository }}/{{ .Values.initImage.name }}:{{ .Values.initImage.initTag }}"
           imagePullPolicy: {{ .Values.initImage.pullPolicy }}
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
           env:
           - name: KUBELET_PORT
             value: "10250"
@@ -111,6 +115,10 @@ spec:
       - name: {{ template "vk.fullname" . }}
         image: "{{ .Values.image.repository }}/{{ .Values.image.name }}:{{ .Values.image.tag }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
         env:
         - name: KUBELET_PORT
           value: "10250"

charts/virtual-kubelet/values.yaml

@@ -3,13 +3,13 @@ image:
   repository: mcr.microsoft.com
   name: oss/virtual-kubelet/virtual-kubelet
   tag: 1.6.1
-  pullPolicy: Always
+  pullPolicy: IfNotPresent
 
 initImage:
   repository: mcr.microsoft.com
   name: oss/virtual-kubelet/init-validation
   initTag: 0.2.0
-  pullPolicy: Always
+  pullPolicy: IfNotPresent
 
 namespace: vk-azure-aci