Skip to content

Commit f446b78

Browse files
joelsmithjoelsmith
committed
Add required securityContext parameters for 4.12+
1 parent 134a669 commit f446b78

13 files changed

+159
-0
lines changed

artifacts/deploy/300_deployment.yaml

+9
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,10 @@ spec:
1717
clusterresourceoverride.operator: "true"
1818
spec:
1919
serviceAccountName: clusterresourceoverride-operator
20+
securityContext:
21+
runAsNonRoot: true
22+
seccompProfile:
23+
type: RuntimeDefault
2024
containers:
2125
- name: clusterresourceoverride-operator
2226
image: CLUSTERRESOURCEOVERRIDE_OPERATOR_IMAGE
@@ -51,3 +55,8 @@ spec:
5155
path: /healthz
5256
port: 8080
5357
initialDelaySeconds: 5
58+
securityContext:
59+
allowPrivilegeEscalation: false
60+
capabilities:
61+
drop:
62+
- ALL

artifacts/example/test-deployment.yaml

+9
Original file line numberDiff line numberDiff line change
@@ -23,3 +23,12 @@ spec:
2323
limits:
2424
memory: "512Mi"
2525
cpu: "2000m"
26+
securityContext:
27+
allowPrivilegeEscalation: false
28+
capabilities:
29+
drop:
30+
- ALL
31+
securityContext:
32+
runAsNonRoot: true
33+
seccompProfile:
34+
type: RuntimeDefault

artifacts/example/test-pod-with-limitranges.yaml

+9
Original file line numberDiff line numberDiff line change
@@ -23,4 +23,13 @@ spec:
2323
image: openshift/hello-openshift
2424
ports:
2525
- containerPort: 8080
26+
securityContext:
27+
allowPrivilegeEscalation: false
28+
capabilities:
29+
drop:
30+
- ALL
31+
securityContext:
32+
runAsNonRoot: true
33+
seccompProfile:
34+
type: RuntimeDefault
2635

artifacts/example/test-pod.yaml

+9
Original file line numberDiff line numberDiff line change
@@ -15,3 +15,12 @@ spec:
1515
limits:
1616
memory: "512Mi"
1717
cpu: "2000m"
18+
securityContext:
19+
allowPrivilegeEscalation: false
20+
capabilities:
21+
drop:
22+
- ALL
23+
securityContext:
24+
runAsNonRoot: true
25+
seccompProfile:
26+
type: RuntimeDefault

artifacts/olm/registry/registry-deployment.yaml

+9
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,15 @@ spec:
5757
memory: 100Mi
5858
terminationMessagePath: /dev/termination-log
5959
terminationMessagePolicy: File
60+
securityContext:
61+
allowPrivilegeEscalation: false
62+
capabilities:
63+
drop:
64+
- ALL
65+
securityContext:
66+
runAsNonRoot: true
67+
seccompProfile:
68+
type: RuntimeDefault
6069
volumes:
6170
- name: workdir
6271
emptyDir: {}

doc/install-via-olm.md

+9
Original file line numberDiff line numberDiff line change
@@ -156,5 +156,14 @@ spec:
156156
limits:
157157
memory: "512Mi"
158158
cpu: "2000m"
159+
securityContext:
160+
allowPrivilegeEscalation: false
161+
capabilities:
162+
drop:
163+
- ALL
164+
securityContext:
165+
runAsNonRoot: true
166+
seccompProfile:
167+
type: RuntimeDefault
159168
EOF
160169
```

go.mod

+1
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ require (
2121
k8s.io/component-base v0.21.0
2222
k8s.io/klog v1.0.0
2323
k8s.io/kube-aggregator v0.21.0
24+
k8s.io/utils v0.0.0-20201110183641-67b214c5f920
2425
sigs.k8s.io/controller-runtime v0.3.0
2526
sigs.k8s.io/yaml v1.2.0
2627
)

manifests/4.11/clusterresourceoverride-operator.v4.11.0.clusterserviceversion.yaml

+9
Original file line numberDiff line numberDiff line change
@@ -322,6 +322,15 @@ spec:
322322
path: /healthz
323323
port: 8080
324324
initialDelaySeconds: 5
325+
securityContext:
326+
allowPrivilegeEscalation: false
327+
capabilities:
328+
drop:
329+
- ALL
330+
securityContext:
331+
runAsNonRoot: true
332+
seccompProfile:
333+
type: RuntimeDefault
325334
installModes:
326335
- supported: true
327336
type: OwnNamespace

pkg/asset/daemonset.go

+11
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import (
44
appsv1 "k8s.io/api/apps/v1"
55
corev1 "k8s.io/api/core/v1"
66
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
7+
"k8s.io/utils/pointer"
78
)
89

910
func (a *Asset) DaemonSet() *daemonset {
@@ -84,6 +85,16 @@ func (d *daemonset) New() *appsv1.DaemonSet {
8485
Protocol: corev1.ProtocolTCP,
8586
},
8687
},
88+
SecurityContext: &corev1.SecurityContext{
89+
AllowPrivilegeEscalation: pointer.BoolPtr(false),
90+
Capabilities: &corev1.Capabilities{
91+
Drop: []corev1.Capability{"ALL"},
92+
},
93+
RunAsNonRoot: pointer.BoolPtr(true),
94+
SeccompProfile: &corev1.SeccompProfile{
95+
Type: "RuntimeDefault",
96+
},
97+
},
8798
VolumeMounts: []corev1.VolumeMount{
8899
{
89100
Name: "serving-cert",

pkg/asset/deployment.go

+11
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ import (
55
corev1 "k8s.io/api/core/v1"
66
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
77
"k8s.io/apimachinery/pkg/util/intstr"
8+
"k8s.io/utils/pointer"
89
)
910

1011
func (a *Asset) Deployment() *deployment {
@@ -75,6 +76,16 @@ func (d *deployment) New() *appsv1.Deployment {
7576
ContainerPort: 8443,
7677
},
7778
},
79+
SecurityContext: &corev1.SecurityContext{
80+
AllowPrivilegeEscalation: pointer.BoolPtr(false),
81+
Capabilities: &corev1.Capabilities{
82+
Drop: []corev1.Capability{"ALL"},
83+
},
84+
RunAsNonRoot: pointer.BoolPtr(true),
85+
SeccompProfile: &corev1.SeccompProfile{
86+
Type: "RuntimeDefault",
87+
},
88+
},
7889
VolumeMounts: []corev1.VolumeMount{
7990
{
8091
Name: "serving-cert",

test/e2e/e2e_test.go

+61
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ import (
1010
corev1 "k8s.io/api/core/v1"
1111
"k8s.io/apimachinery/pkg/api/resource"
1212
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
13+
"k8s.io/utils/pointer"
1314

1415
autoscalingv1 "github.com/openshift/cluster-resource-override-admission-operator/pkg/apis/autoscaling/v1"
1516
"github.com/openshift/cluster-resource-override-admission-operator/test/helper"
@@ -41,6 +42,16 @@ func TestClusterResourceOverrideAdmissionWithOptIn(t *testing.T) {
4142
corev1.ResourceCPU: resource.MustParse("1000m"),
4243
},
4344
},
45+
SecurityContext: &corev1.SecurityContext{
46+
AllowPrivilegeEscalation: pointer.BoolPtr(false),
47+
Capabilities: &corev1.Capabilities{
48+
Drop: []corev1.Capability{"ALL"},
49+
},
50+
RunAsNonRoot: pointer.BoolPtr(true),
51+
SeccompProfile: &corev1.SeccompProfile{
52+
Type: "RuntimeDefault",
53+
},
54+
},
4455
},
4556
{
4657
Name: "app",
@@ -57,6 +68,16 @@ func TestClusterResourceOverrideAdmissionWithOptIn(t *testing.T) {
5768
corev1.ResourceCPU: resource.MustParse("500m"),
5869
},
5970
},
71+
SecurityContext: &corev1.SecurityContext{
72+
AllowPrivilegeEscalation: pointer.BoolPtr(false),
73+
Capabilities: &corev1.Capabilities{
74+
Drop: []corev1.Capability{"ALL"},
75+
},
76+
RunAsNonRoot: pointer.BoolPtr(true),
77+
SeccompProfile: &corev1.SeccompProfile{
78+
Type: "RuntimeDefault",
79+
},
80+
},
6081
},
6182
},
6283
},
@@ -101,6 +122,16 @@ func TestClusterResourceOverrideAdmissionWithOptIn(t *testing.T) {
101122
"-c",
102123
"echo The app is running! && sleep 1",
103124
},
125+
SecurityContext: &corev1.SecurityContext{
126+
AllowPrivilegeEscalation: pointer.BoolPtr(false),
127+
Capabilities: &corev1.Capabilities{
128+
Drop: []corev1.Capability{"ALL"},
129+
},
130+
RunAsNonRoot: pointer.BoolPtr(true),
131+
SeccompProfile: &corev1.SeccompProfile{
132+
Type: "RuntimeDefault",
133+
},
134+
},
104135
},
105136
},
106137
Containers: []corev1.Container{
@@ -118,6 +149,16 @@ func TestClusterResourceOverrideAdmissionWithOptIn(t *testing.T) {
118149
corev1.ResourceMemory: resource.MustParse("512Mi"),
119150
corev1.ResourceCPU: resource.MustParse("500m")},
120151
},
152+
SecurityContext: &corev1.SecurityContext{
153+
AllowPrivilegeEscalation: pointer.BoolPtr(false),
154+
Capabilities: &corev1.Capabilities{
155+
Drop: []corev1.Capability{"ALL"},
156+
},
157+
RunAsNonRoot: pointer.BoolPtr(true),
158+
SeccompProfile: &corev1.SeccompProfile{
159+
Type: "RuntimeDefault",
160+
},
161+
},
121162
},
122163
},
123164
},
@@ -169,6 +210,16 @@ func TestClusterResourceOverrideAdmissionWithOptIn(t *testing.T) {
169210
ContainerPort: 60100,
170211
},
171212
},
213+
SecurityContext: &corev1.SecurityContext{
214+
AllowPrivilegeEscalation: pointer.BoolPtr(false),
215+
Capabilities: &corev1.Capabilities{
216+
Drop: []corev1.Capability{"ALL"},
217+
},
218+
RunAsNonRoot: pointer.BoolPtr(true),
219+
SeccompProfile: &corev1.SeccompProfile{
220+
Type: "RuntimeDefault",
221+
},
222+
},
172223
},
173224
},
174225
},
@@ -218,6 +269,16 @@ func TestClusterResourceOverrideAdmissionWithOptIn(t *testing.T) {
218269
corev1.ResourceMemory: resource.MustParse("1024Mi"),
219270
corev1.ResourceCPU: resource.MustParse("1000m")},
220271
},
272+
SecurityContext: &corev1.SecurityContext{
273+
AllowPrivilegeEscalation: pointer.BoolPtr(false),
274+
Capabilities: &corev1.Capabilities{
275+
Drop: []corev1.Capability{"ALL"},
276+
},
277+
RunAsNonRoot: pointer.BoolPtr(true),
278+
SeccompProfile: &corev1.SeccompProfile{
279+
Type: "RuntimeDefault",
280+
},
281+
},
221282
},
222283
},
223284
},

test/helper/helper.go

+11
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ import (
1313
"k8s.io/apimachinery/pkg/util/wait"
1414
"k8s.io/client-go/kubernetes"
1515
"k8s.io/client-go/rest"
16+
"k8s.io/utils/pointer"
1617

1718
"github.com/stretchr/testify/require"
1819

@@ -165,6 +166,16 @@ func NewPodWithResourceRequirement(t *testing.T, client kubernetes.Interface, na
165166
},
166167
},
167168
Resources: requirements,
169+
SecurityContext: &corev1.SecurityContext{
170+
AllowPrivilegeEscalation: pointer.BoolPtr(false),
171+
Capabilities: &corev1.Capabilities{
172+
Drop: []corev1.Capability{"ALL"},
173+
},
174+
RunAsNonRoot: pointer.BoolPtr(true),
175+
SeccompProfile: &corev1.SeccompProfile{
176+
Type: "RuntimeDefault",
177+
},
178+
},
168179
},
169180
},
170181
},

vendor/modules.txt

+1
Original file line numberDiff line numberDiff line change
@@ -818,6 +818,7 @@ k8s.io/kube-openapi/pkg/util
818818
k8s.io/kube-openapi/pkg/util/proto
819819
k8s.io/kube-openapi/pkg/util/sets
820820
# k8s.io/utils v0.0.0-20201110183641-67b214c5f920
821+
## explicit
821822
k8s.io/utils/buffer
822823
k8s.io/utils/integer
823824
k8s.io/utils/net

0 commit comments

Comments
 (0)