From 497daa5f60f434f90cec2a736ed7e5dbd6bfc26c Mon Sep 17 00:00:00 2001
From: Petter Abrahamsson <petter@jebus.nu>
Date: Thu, 9 Apr 2020 12:47:17 -0400
Subject: [PATCH] Remove IPC_LOCK capability (#198)

* Remove IPC_LOCK capability

* Remove tests for IPC_LOCK
---
 templates/server-statefulset.yaml | 3 ---
 test/acceptance/server-ha.bats    | 5 -----
 test/acceptance/server.bats       | 5 -----
 3 files changed, 13 deletions(-)

diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index 255a844..1497889 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -52,9 +52,6 @@ spec:
       containers:
         - name: vault
           {{ template "vault.resources" . }}
-          securityContext:
-            capabilities:
-              add: ["IPC_LOCK"]
           image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}
           imagePullPolicy: {{ .Values.server.image.pullPolicy }}
           command: {{ template "vault.command" . }}
diff --git a/test/acceptance/server-ha.bats b/test/acceptance/server-ha.bats
index 74a3c11..4cb4a75 100644
--- a/test/acceptance/server-ha.bats
+++ b/test/acceptance/server-ha.bats
@@ -18,11 +18,6 @@ load _helpers
     jq -r '.initialized')
   [ "${init_status}" == "false" ]
 
-  # Security
-  local ipc=$(kubectl get statefulset "$(name_prefix)" --output json |
-    jq -r '.spec.template.spec.containers[0].securityContext.capabilities.add[0]')
-  [ "${ipc}" == "IPC_LOCK" ]
-
   # Replicas
   local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.replicas')
diff --git a/test/acceptance/server.bats b/test/acceptance/server.bats
index beb2fa2..ce7843f 100644
--- a/test/acceptance/server.bats
+++ b/test/acceptance/server.bats
@@ -21,11 +21,6 @@ load _helpers
     jq -r '.initialized')
   [ "${init_status}" == "false" ]
 
-  # Security
-  local ipc=$(kubectl get statefulset "$(name_prefix)" --output json |
-    jq -r '.spec.template.spec.containers[0].securityContext.capabilities.add[0]')
-  [ "${ipc}" == "IPC_LOCK" ]
-
   # Replicas
   local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
     jq -r '.spec.replicas')