secureCodeBox · J12934 · Jul 9, 2025 · Jun 30, 2025 · Jun 30, 2025 · Jul 8, 2025
diff --git a/operator/controllers/execution/scans/hook_reconciler.go b/operator/controllers/execution/scans/hook_reconciler.go
@@ -388,7 +388,7 @@ func generateJobForHook(hookName string, hookSpec *executionv1.ScanCompletionHoo
 								ReadOnlyRootFilesystem:   &truePointer,
 								Privileged:               &falsePointer,
 								Capabilities: &corev1.Capabilities{
-									Drop: []corev1.Capability{"all"},
+									Drop: []corev1.Capability{"ALL"},
 								},
 							},
 						},

diff --git a/operator/controllers/execution/scans/parse_reconciler.go b/operator/controllers/execution/scans/parse_reconciler.go
@@ -191,7 +191,7 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error {
 								ReadOnlyRootFilesystem:   &truePointer,
 								Privileged:               &falsePointer,
 								Capabilities: &corev1.Capabilities{
-									Drop: []corev1.Capability{"all"},
+									Drop: []corev1.Capability{"ALL"},
 								},
 							},
 						},

diff --git a/operator/controllers/execution/scans/scan_reconciler.go b/operator/controllers/execution/scans/scan_reconciler.go
@@ -288,6 +288,27 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanTypeSpe
 		return nil, fmt.Errorf("unknown imagePull Policy for lurker: %s", lurkerPullPolicyRaw)
 	}
 
+	seccompProfileRaw := os.Getenv("LURKER_SECCOMP_PROFILE")
+	var seccompProfile corev1.SeccompProfile
+	switch seccompProfileRaw {
+	case "Localhost":
+		seccompProfile = corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeLocalhost,}
+	case "RuntimeDefault":
+		seccompProfile = corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,}
+	case "Unconfined": 
+		seccompProfile = corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeUnconfined,}
+	case "":
+		seccompProfile = corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		}
+	default:
+		return nil, fmt.Errorf("unknown seccompProfile for lurker: %s", seccompProfileRaw)
+	}
+
+	r.Log.Info("Using Lurker Image", "seccompProfile", seccompProfileRaw)
 	falsePointer := false
 	truePointer := true
 
@@ -336,7 +357,10 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanTypeSpe
 			ReadOnlyRootFilesystem:   &truePointer,
 			Privileged:               &falsePointer,
 			Capabilities: &corev1.Capabilities{
-				Drop: []corev1.Capability{"all"},
+				Drop: []corev1.Capability{"ALL"},
+			},
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: seccompProfile.Type,
 			},
 		},
 	}

diff --git a/operator/templates/manager/manager.yaml b/operator/templates/manager/manager.yaml
@@ -123,6 +123,8 @@ spec:
               value: "{{ .Values.lurker.image.repository }}:{{ .Values.lurker.image.tag | default .Chart.Version }}"
             - name: LURKER_PULL_POLICY
               value: {{ .Values.lurker.image.pullPolicy }}
+            - name: LURKER_SECCOMP_PROFILE
+              value: {{ .Values.securityContext.seccompProfile.type }}
             {{- if .Values.customCACertificate.existingCertificate }}
             - name: CUSTOM_CA_CERTIFICATE_EXISTING_CERTIFICATE
               value: {{ .Values.customCACertificate.existingCertificate | quote }}

diff --git a/operator/tests/__snapshot__/operator_test.yaml.snap b/operator/tests/__snapshot__/operator_test.yaml.snap
@@ -68,6 +68,8 @@ matches the snapshot:
                   value: docker.io/securecodebox/lurker:0.0.0
                 - name: LURKER_PULL_POLICY
                   value: IfNotPresent
+                - name: LURKER_SECCOMP_PROFILE
+                  value: RuntimeDefault
                 - name: CUSTOM_CA_CERTIFICATE_EXISTING_CERTIFICATE
                   value: foo
                 - name: CUSTOM_CA_CERTIFICATE_NAME
@@ -111,10 +113,12 @@ matches the snapshot:
                 allowPrivilegeEscalation: false
                 capabilities:
                   drop:
-                    - all
+                    - ALL
                 privileged: false
                 readOnlyRootFilesystem: true
                 runAsNonRoot: true
+                seccompProfile:
+                  type: RuntimeDefault
               volumeMounts:
                 - mountPath: /etc/ssl/certs/public.crt
                   name: ca-certificate
@@ -645,6 +649,8 @@ properly-renders-the-service-monitor-when-enabled:
                   value: docker.io/securecodebox/lurker:0.0.0
                 - name: LURKER_PULL_POLICY
                   value: IfNotPresent
+                - name: LURKER_SECCOMP_PROFILE
+                  value: RuntimeDefault
                 - name: CUSTOM_CA_CERTIFICATE_EXISTING_CERTIFICATE
                   value: foo
                 - name: CUSTOM_CA_CERTIFICATE_NAME
@@ -688,10 +694,12 @@ properly-renders-the-service-monitor-when-enabled:
                 allowPrivilegeEscalation: false
                 capabilities:
                   drop:
-                    - all
+                    - ALL
                 privileged: false
                 readOnlyRootFilesystem: true
                 runAsNonRoot: true
+                seccompProfile:
+                  type: RuntimeDefault
               volumeMounts:
                 - mountPath: /etc/ssl/certs/public.crt
                   name: ca-certificate

diff --git a/operator/values.yaml b/operator/values.yaml
@@ -50,7 +50,11 @@ securityContext:
   capabilities:
     drop:
       # securityContext.capabilities.drop[0] -- This drops all linux privileges from the operator container. They are not required
-      - all
+      - ALL
+  seccompProfile:
+    # securityContext.seccompProfile.type -- one of RuntimeDefault, Unconfined, Localhost
+    # To disable seccompProfile, set to Unconfined. See: https://kubernetes.io/docs/tutorials/security/seccomp/
+    type: RuntimeDefault
 
 # -- Sets the securityContext on the operators pod level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
 podSecurityContext: {}