apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- resources.yaml
- aggregated-roles.yaml
namespace: kubeflow
patches:
  - target:
      kind: Deployment
      name: spark-operator-webhook
    patch: |-
      - op: add
        path: /spec/template/spec/containers/0/securityContext
        value:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault # Only this is missing upstream!
  - target:
      kind: Deployment
      name: spark-operator-controller
    patch: |-
      - op: add
        path: /spec/template/spec/containers/0/securityContext
        value:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault # only this is missing upstream!
  - target:
      kind: Deployment
      name: spark-operator-webhook
    patch: |-
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: spark-operator-webhook
      spec:
        template:
          metadata:
            labels:
              sidecar.istio.io/inject: "false"
  - target:
      kind: Deployment
      name: spark-operator-controller
    patch: |-
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: spark-operator-controller
      spec:
        template:
          metadata:
            labels:
              sidecar.istio.io/inject: "false"