chore: Remove priviledged security context from our pods (google#4983)

another-rex · tymzd · commit 820c3d86fc0e · 2026-04-13T21:40:35.000+10:00
\
diff --git a/deployment/clouddeploy/gke-indexer/base/indexer-controller.yaml b/deployment/clouddeploy/gke-indexer/base/indexer-controller.yaml
@@ -44,8 +44,6 @@ spec:
             volumeMounts:
               - mountPath: "/tmp"
                 name: "ssd"
-            securityContext:
-              privileged: true
             resources:
               requests:
                 cpu: 5
diff --git a/deployment/clouddeploy/gke-indexer/base/indexer-worker.yaml b/deployment/clouddeploy/gke-indexer/base/indexer-worker.yaml
@@ -46,8 +46,6 @@ spec:
         volumeMounts:
         - mountPath: "/tmp"
           name: "ssd"
-        securityContext:
-          privileged: true
         resources:
           requests:
             cpu: 1
diff --git a/deployment/clouddeploy/gke-workers/base/alpine-cve-convert.yaml b/deployment/clouddeploy/gke-workers/base/alpine-cve-convert.yaml
@@ -20,8 +20,6 @@ spec:
           - name: alpine-cve-convert
             image: alpine-cve-convert
             imagePullPolicy: Always
-            securityContext:
-              privileged: true
             resources:
               requests:
                 cpu: "2"
diff --git a/deployment/clouddeploy/gke-workers/base/combine-to-osv.yaml b/deployment/clouddeploy/gke-workers/base/combine-to-osv.yaml
@@ -21,8 +21,6 @@ spec:
           - name: combine-to-osv
             image: combine-to-osv
             imagePullPolicy: Always
-            securityContext:
-              privileged: true
             resources:
               requests:
                 cpu: "30"
diff --git a/deployment/clouddeploy/gke-workers/base/cpe-repo-gen.yaml b/deployment/clouddeploy/gke-workers/base/cpe-repo-gen.yaml
@@ -16,8 +16,6 @@ spec:
           - name: cpe-repo-gen
             image: cpe-repo-gen
             imagePullPolicy: Always
-            securityContext:
-              privileged: true
             resources:
               requests:
                 cpu: "1"
diff --git a/deployment/clouddeploy/gke-workers/base/cve5-to-osv.yaml b/deployment/clouddeploy/gke-workers/base/cve5-to-osv.yaml
@@ -17,8 +17,6 @@ spec:
           - name: cve5-to-osv
             image: cve5-to-osv
             imagePullPolicy: Always
-            securityContext:
-              privileged: true
             resources:
               requests:
                 cpu: "8"
diff --git a/deployment/clouddeploy/gke-workers/base/debian-convert.yaml b/deployment/clouddeploy/gke-workers/base/debian-convert.yaml
@@ -21,8 +21,6 @@ spec:
             volumeMounts:
               - mountPath: "/work"
                 name: "ssd"
-            securityContext:
-              privileged: true
             resources:
               requests:
                 cpu: "1"
diff --git a/deployment/clouddeploy/gke-workers/base/debian-copyright-mirror.yaml b/deployment/clouddeploy/gke-workers/base/debian-copyright-mirror.yaml
@@ -16,8 +16,6 @@ spec:
           - name: debian-copyright-mirror
             image: debian-copyright-mirror
             imagePullPolicy: Always
-            securityContext:
-              privileged: true
             resources:
               requests:
                 cpu: "1"
diff --git a/deployment/clouddeploy/gke-workers/base/debian-cve-convert.yaml b/deployment/clouddeploy/gke-workers/base/debian-cve-convert.yaml
@@ -20,8 +20,6 @@ spec:
           - name: debian-cve-convert
             image: debian-cve-convert
             imagePullPolicy: Always
-            securityContext:
-              privileged: true
             resources:
               requests:
                 cpu: "2"
diff --git a/deployment/clouddeploy/gke-workers/base/debian-first-version.yaml b/deployment/clouddeploy/gke-workers/base/debian-first-version.yaml
@@ -21,8 +21,6 @@ spec:
             volumeMounts:
               - mountPath: "/work"
                 name: "ssd"
-            securityContext:
-              privileged: true
             resources:
               requests:
                 cpu: "1"
diff --git a/deployment/clouddeploy/gke-workers/base/importer-deleter.yaml b/deployment/clouddeploy/gke-workers/base/importer-deleter.yaml
@@ -18,8 +18,6 @@ spec:
             volumeMounts:
               - mountPath: "/work"
                 name: "ssd"
-            securityContext:
-              privileged: true
             resources:
               requests:
                 cpu: "1"
diff --git a/deployment/clouddeploy/gke-workers/base/importer.yaml b/deployment/clouddeploy/gke-workers/base/importer.yaml
@@ -29,8 +29,6 @@ spec:
                 value: "1.0"
               - name: TRACE_SAMPLE_RATE # for the individual vulnerability entries
                 value: "0.05"
-            securityContext:
-              privileged: true
             resources:
               requests:
                 cpu: "1"
diff --git a/deployment/clouddeploy/gke-workers/base/nvd-cve-osv.yaml b/deployment/clouddeploy/gke-workers/base/nvd-cve-osv.yaml
@@ -17,8 +17,6 @@ spec:
           - name: nvd-cve-osv
             image: nvd-cve-osv
             imagePullPolicy: Always
-            securityContext:
-              privileged: true
             resources:
               requests:
                 cpu: "1"
diff --git a/deployment/clouddeploy/gke-workers/base/nvd-mirror.yaml b/deployment/clouddeploy/gke-workers/base/nvd-mirror.yaml
@@ -24,8 +24,6 @@ spec:
               value: /tmp
             image: nvd-mirror
             imagePullPolicy: Always
-            securityContext:
-              privileged: true
             resources:
               requests:
                 cpu: "30"
diff --git a/deployment/clouddeploy/gke-workers/base/workers.yaml b/deployment/clouddeploy/gke-workers/base/workers.yaml
@@ -36,8 +36,6 @@ spec:
         env:
           - name: GITTER_HOST
             value: http://gitter-service:8888
-        securityContext:
-          privileged: true
         resources:
           requests:
             cpu: 1
diff --git a/deployment/clouddeploy/oss-fuzz-workers/importer.yaml b/deployment/clouddeploy/oss-fuzz-workers/importer.yaml
@@ -29,8 +29,6 @@ spec:
                 name: "ssd"
               - mountPath: "/secrets"
                 name: "secrets"
-            securityContext:
-              privileged: true
             resources:
               requests:
                 cpu: "1"
