ci: Update CNS daemonset capabilities within E2E (#2902)

jpayne3506 · web-flow · commit 032890a7bbed · 2024-08-09T22:39:38.000Z
ci: update CNS caps
diff --git a/test/integration/manifests/cns/daemonset-linux.yaml b/test/integration/manifests/cns/daemonset-linux.yaml
@@ -46,8 +46,11 @@ spec:
           args: [ "-c", "tcp://$(CNSIpAddress):$(CNSPort)", "-t", "$(CNSLogTarget)"]
           securityContext:
             capabilities:
+              drop:
+                - ALL
               add:
-                - NET_ADMIN
+                - NET_ADMIN # only necessary for delegated IPAM/Cilium
+                - NET_RAW # only necessary for delegated IPAM/Cilium
           volumeMounts:
             - name: log
               mountPath: /var/log
@@ -89,8 +92,8 @@ spec:
           command: ["sleep", "3600"]
           securityContext:
             capabilities:
-              add:
-                - NET_ADMIN
+              drop:
+                - ALL
           volumeMounts:
             - name: log
               mountPath: /var/log
diff --git a/test/integration/manifests/cns/daemonset-windows.yaml b/test/integration/manifests/cns/daemonset-windows.yaml
@@ -123,6 +123,10 @@ spec:
           volumeMounts:
             - name: cni-bin
               mountPath: /k/azurecni/bin/ # TODO: add cni conflist when ready
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
       hostNetwork: true
       volumes:
         - name: log
