Set allowPrivilegeEscalation to false as a default

This commit fixes openfaas#523 and sets a default, which nobody has
raised any concerns with. If this affects you in a negative
way then please feel free to raise an issue for discussion.

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>

Author: alexellis

pkg/controller/deployment.go

@@ -56,6 +56,8 @@ func newDeployment(
 		}
 	}
 
+	allowPrivilegeEscalation := false
+
 	deploymentSpec := &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        function.Spec.Name,
@@ -110,6 +112,9 @@ func newDeployment(
 							Resources:       *resources,
 							LivenessProbe:   probes.Liveness,
 							ReadinessProbe:  probes.Readiness,
+							SecurityContext: &corev1.SecurityContext{
+								AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+							},
 						},
 					},
 				},

pkg/handlers/deploy.go

@@ -173,6 +173,7 @@ func makeDeploymentSpec(request types.FunctionDeployment, existingSecrets map[st
 	}
 
 	enableServiceLinks := false
+	allowPrivilegeEscalation := false
 
 	deploymentSpec := &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
@@ -228,7 +229,8 @@ func makeDeploymentSpec(request types.FunctionDeployment, existingSecrets map[st
 							LivenessProbe:   probes.Liveness,
 							ReadinessProbe:  probes.Readiness,
 							SecurityContext: &corev1.SecurityContext{
-								ReadOnlyRootFilesystem: &request.ReadOnlyRootFilesystem,
+								ReadOnlyRootFilesystem:   &request.ReadOnlyRootFilesystem,
+								AllowPrivilegeEscalation: &allowPrivilegeEscalation,
 							},
 						},
 					},