Merge pull request #911 from bogdando/DROP_CAPS

Drop linux capabilities and rework users/groups

roles/dnsmasq/defaults/main.yml

@@ -26,3 +26,16 @@ dns_cpu_limit: 100m
 dns_memory_limit: 170Mi
 dns_cpu_requests: 70m
 dns_memory_requests: 70Mi
+
+# Linux capabilities to be dropped for dnsmasq k8s app ran container engines
+dnsmasq_drop_cap:
+  - chown
+  - dac_override
+  - fowner
+  - fsetid
+  - kill
+  - setpcap
+  - sys_chroot
+  - mknod
+  - audit_write
+  - setfcap

roles/dnsmasq/templates/dnsmasq-ds.yml

@@ -26,6 +26,10 @@ spec:
             capabilities:
               add:
                 - NET_ADMIN
+              drop:
+{% for c in dnsmasq_drop_cap %}
+                - {{ c.upper() }}
+{% endfor %}
           imagePullPolicy: IfNotPresent
           resources:
             limits: