Set securityContext on injected initContainer

pkg/instrumentation/sdk.go

@@ -118,6 +118,19 @@ func (i *sdkInjector) inject(ctx context.Context, insts languageInstrumentations
 		pod = i.injectCommonEnvVar(otelinst, pod, index)
 		pod = i.injectCommonSDKConfig(ctx, otelinst, ns, pod, index)
 	}
+
+	pod = i.setInitContainerSecurityContext(pod, pod.Spec.Containers[index].SecurityContext)
+
+	return pod
+}
+
+func (i *sdkInjector) setInitContainerSecurityContext(pod corev1.Pod, securityContext *corev1.SecurityContext) corev1.Pod {
+	for i, initContainer := range pod.Spec.InitContainers {
+		if initContainer.Name == initContainerName {
+			pod.Spec.InitContainers[i].SecurityContext = securityContext
+		}
+	}
+
 	return pod
 }
 

tests/e2e/instrumentation-dotnet/01-assert.yaml

@@ -50,5 +50,9 @@ spec:
   - name: otc-container
   initContainers:
   - name: opentelemetry-auto-instrumentation
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
 status:
   phase: Running

tests/e2e/instrumentation-dotnet/01-install-app.yaml

@@ -22,3 +22,7 @@ spec:
       containers:
       - name: myapp
         image: docker.io/avadhutp123/aspnetapp@sha256:d2e8d3415f6f12efae0369aa0a9777a58583841fb133f33e10a73adb9fb392da  # source code of the application: https://github.com/dotnet/dotnet-docker/tree/main/samples/aspnetapp
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]

tests/e2e/instrumentation-java-other-ns/03-assert.yaml

@@ -44,5 +44,9 @@ spec:
   - name: otc-container
   initContainers:
   - name: opentelemetry-auto-instrumentation
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
 status:
   phase: Running

tests/e2e/instrumentation-java-other-ns/03-install-app.yaml

@@ -22,3 +22,7 @@ spec:
       containers:
       - name: myapp
         image: ghcr.io/pavolloffay/spring-petclinic:latest
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]

tests/e2e/instrumentation-java/01-assert.yaml

@@ -44,5 +44,9 @@ spec:
   - name: otc-container
   initContainers:
   - name: opentelemetry-auto-instrumentation
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
 status:
   phase: Running

tests/e2e/instrumentation-java/01-install-app.yaml

@@ -22,3 +22,7 @@ spec:
       containers:
       - name: myapp
         image: ghcr.io/pavolloffay/spring-petclinic:latest
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]

tests/e2e/instrumentation-nodejs/01-assert.yaml

@@ -40,5 +40,9 @@ spec:
   - name: otc-container
   initContainers:
   - name: opentelemetry-auto-instrumentation
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
 status:
   phase: Running

tests/e2e/instrumentation-nodejs/01-install-app.yaml

@@ -22,3 +22,7 @@ spec:
       containers:
       - name: myapp
         image: ghcr.io/anuraaga/express-hello-world:latest
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]

tests/e2e/instrumentation-python/01-assert.yaml

@@ -46,5 +46,9 @@ spec:
   - name: otc-container
   initContainers:
   - name: opentelemetry-auto-instrumentation
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
 status:
   phase: Running

tests/e2e/instrumentation-python/01-install-app.yaml

@@ -22,3 +22,7 @@ spec:
       containers:
       - name: myapp
         image: ghcr.io/anuraaga/flask-hello-world:latest
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]