From cd9ae91f44e6c6f801f267a2d47110e5d4ba4712 Mon Sep 17 00:00:00 2001
From: Alessandro Degano <a.degano@gmail.com>
Date: Tue, 12 May 2026 13:08:34 +0200
Subject: [PATCH] Add capabilities.drop=ALL to all container security contexts

---
 api/v1alpha1/amaltheasession_children.go | 6 ++++++
 api/v1alpha1/auth_templates.go           | 9 +++++++++
 api/v1alpha1/code_repo_templates.go      | 3 +++
 3 files changed, 18 insertions(+)

diff --git a/api/v1alpha1/amaltheasession_children.go b/api/v1alpha1/amaltheasession_children.go
index 7d7c6ed2..85645b4b 100644
--- a/api/v1alpha1/amaltheasession_children.go
+++ b/api/v1alpha1/amaltheasession_children.go
@@ -927,6 +927,9 @@ func (cr *AmaltheaSession) sessionContainerLocal(volumeMounts []v1.VolumeMount,
 		RunAsNonRoot: ptr.To(true),
 		RunAsUser:    ptr.To(session.RunAsUser),
 		RunAsGroup:   ptr.To(session.RunAsGroup),
+		Capabilities: &v1.Capabilities{
+			Drop: []v1.Capability{"ALL"},
+		},
 	}
 	if session.RunAsUser == 0 {
 		securityContext.RunAsNonRoot = ptr.To(false)
@@ -953,6 +956,9 @@ func (cr *AmaltheaSession) sessionContainerRemote(volumeMounts []v1.VolumeMount)
 		SecurityContext: &v1.SecurityContext{
 			AllowPrivilegeEscalation: ptr.To(false),
 			RunAsNonRoot:             ptr.To(true),
+			Capabilities: &v1.Capabilities{
+				Drop: []v1.Capability{"ALL"},
+			},
 		},
 		Args: []string{
 			"remote-session-controller",
diff --git a/api/v1alpha1/auth_templates.go b/api/v1alpha1/auth_templates.go
index f55f9b4e..12d3499b 100644
--- a/api/v1alpha1/auth_templates.go
+++ b/api/v1alpha1/auth_templates.go
@@ -57,6 +57,9 @@ func (as *AmaltheaSession) auth() (manifests, error) {
 			SecurityContext: &v1.SecurityContext{
 				AllowPrivilegeEscalation: ptr.To(false),
 				RunAsNonRoot:             ptr.To(true),
+				Capabilities: &v1.Capabilities{
+					Drop: []v1.Capability{"ALL"},
+				},
 			},
 			Args: []string{
 				fmt.Sprintf("--upstream=%s", fmt.Sprintf("http://127.0.0.1:%d", secondProxyPort)),
@@ -161,6 +164,9 @@ func (as *AmaltheaSession) auth() (manifests, error) {
 			SecurityContext: &v1.SecurityContext{
 				AllowPrivilegeEscalation: ptr.To(false),
 				RunAsNonRoot:             ptr.To(true),
+				Capabilities: &v1.Capabilities{
+					Drop: []v1.Capability{"ALL"},
+				},
 			},
 			Args: []string{
 				"--silence-ping-logging",
@@ -230,6 +236,9 @@ func (as *AmaltheaSession) get_rewrite_authn_proxy(listenPort int32, metaListenP
 			RunAsNonRoot:             ptr.To(true),
 			RunAsUser:                ptr.To(int64(1000)),
 			RunAsGroup:               ptr.To(int64(1000)),
+			Capabilities: &v1.Capabilities{
+				Drop: []v1.Capability{"ALL"},
+			},
 		},
 		Args: []string{
 			"proxy",
diff --git a/api/v1alpha1/code_repo_templates.go b/api/v1alpha1/code_repo_templates.go
index 18fbb42c..a03b3ac2 100644
--- a/api/v1alpha1/code_repo_templates.go
+++ b/api/v1alpha1/code_repo_templates.go
@@ -61,6 +61,9 @@ func (as *AmaltheaSession) cloneInit() manifests {
 			SecurityContext: &v1.SecurityContext{
 				RunAsUser:  &as.Spec.Session.RunAsUser,
 				RunAsGroup: &as.Spec.Session.RunAsGroup,
+				Capabilities: &v1.Capabilities{
+					Drop: []v1.Capability{"ALL"},
+				},
 			},
 			Args: args,
 		})