Skip to content

Commit aa2706c

Browse files
perdasilvaperdasilva
committed
Update unpack job security
Signed-off-by: perdasilva <[email protected]>
1 parent 7e1e2f1 commit aa2706c

File tree

4 files changed

+94
-27
lines changed

4 files changed

+94
-27
lines changed

Diff for: pkg/controller/bundle/bundle_unpacker.go

+5
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ import (
77
"strings"
88
"time"
99

10+
"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/security"
1011
"github.com/operator-framework/operator-registry/pkg/api"
1112
"github.com/operator-framework/operator-registry/pkg/configmap"
1213
"github.com/sirupsen/logrus"
@@ -190,6 +191,10 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
190191
},
191192
},
192193
}
194+
195+
// Apply Pod security
196+
security.ApplyPodSpecSecurity(&job.Spec.Template.Spec)
197+
193198
job.SetNamespace(cmRef.Namespace)
194199
job.SetName(cmRef.Name)
195200
job.SetOwnerReferences([]metav1.OwnerReference{ownerRef(cmRef)})

Diff for: pkg/controller/bundle/bundle_unpacker_test.go

+50-5
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,27 @@ func TestConfigMapUnpacker(t *testing.T) {
6868
roleBindings []*rbacv1.RoleBinding
6969
}
7070

71+
var expectedReadOnlyRootFilesystem = false
72+
var expectedAllowPrivilegeEscalation = false
73+
var expectedRunAsNonRoot = true
74+
var expectedRunAsUser int64 = 1001
75+
76+
var expectedContainerSecurityContext = &corev1.SecurityContext{
77+
ReadOnlyRootFilesystem: &expectedReadOnlyRootFilesystem,
78+
AllowPrivilegeEscalation: &expectedAllowPrivilegeEscalation,
79+
Capabilities: &corev1.Capabilities{
80+
Drop: []corev1.Capability{"ALL"},
81+
},
82+
}
83+
84+
var expectedPodSecurityContext = &corev1.PodSecurityContext{
85+
RunAsNonRoot: &expectedRunAsNonRoot,
86+
RunAsUser: &expectedRunAsUser,
87+
SeccompProfile: &corev1.SeccompProfile{
88+
Type: corev1.SeccompProfileTypeRuntimeDefault,
89+
},
90+
}
91+
7192
tests := []struct {
7293
description string
7394
fields fields
@@ -220,6 +241,7 @@ func TestConfigMapUnpacker(t *testing.T) {
220241
Spec: corev1.PodSpec{
221242
RestartPolicy: corev1.RestartPolicyNever,
222243
ImagePullSecrets: []corev1.LocalObjectReference{{Name: "my-secret"}},
244+
SecurityContext: expectedPodSecurityContext,
223245
Containers: []corev1.Container{
224246
{
225247
Name: "extract",
@@ -243,6 +265,7 @@ func TestConfigMapUnpacker(t *testing.T) {
243265
corev1.ResourceMemory: resource.MustParse("50Mi"),
244266
},
245267
},
268+
SecurityContext: expectedContainerSecurityContext,
246269
},
247270
},
248271
InitContainers: []corev1.Container{
@@ -262,6 +285,7 @@ func TestConfigMapUnpacker(t *testing.T) {
262285
corev1.ResourceMemory: resource.MustParse("50Mi"),
263286
},
264287
},
288+
SecurityContext: expectedContainerSecurityContext,
265289
},
266290
{
267291
Name: "pull",
@@ -284,6 +308,7 @@ func TestConfigMapUnpacker(t *testing.T) {
284308
corev1.ResourceMemory: resource.MustParse("50Mi"),
285309
},
286310
},
311+
SecurityContext: expectedContainerSecurityContext,
287312
},
288313
},
289314
Volumes: []corev1.Volume{
@@ -396,7 +421,8 @@ func TestConfigMapUnpacker(t *testing.T) {
396421
Name: pathHash,
397422
},
398423
Spec: corev1.PodSpec{
399-
RestartPolicy: corev1.RestartPolicyNever,
424+
RestartPolicy: corev1.RestartPolicyNever,
425+
SecurityContext: expectedPodSecurityContext,
400426
Containers: []corev1.Container{
401427
{
402428
Name: "extract",
@@ -420,6 +446,7 @@ func TestConfigMapUnpacker(t *testing.T) {
420446
corev1.ResourceMemory: resource.MustParse("50Mi"),
421447
},
422448
},
449+
SecurityContext: expectedContainerSecurityContext,
423450
},
424451
},
425452
InitContainers: []corev1.Container{
@@ -439,6 +466,7 @@ func TestConfigMapUnpacker(t *testing.T) {
439466
corev1.ResourceMemory: resource.MustParse("50Mi"),
440467
},
441468
},
469+
SecurityContext: expectedContainerSecurityContext,
442470
},
443471
{
444472
Name: "pull",
@@ -461,6 +489,7 @@ func TestConfigMapUnpacker(t *testing.T) {
461489
corev1.ResourceMemory: resource.MustParse("50Mi"),
462490
},
463491
},
492+
SecurityContext: expectedContainerSecurityContext,
464493
},
465494
},
466495
Volumes: []corev1.Volume{
@@ -614,7 +643,8 @@ func TestConfigMapUnpacker(t *testing.T) {
614643
Name: pathHash,
615644
},
616645
Spec: corev1.PodSpec{
617-
RestartPolicy: corev1.RestartPolicyNever,
646+
RestartPolicy: corev1.RestartPolicyNever,
647+
SecurityContext: expectedPodSecurityContext,
618648
Containers: []corev1.Container{
619649
{
620650
Name: "extract",
@@ -638,6 +668,7 @@ func TestConfigMapUnpacker(t *testing.T) {
638668
corev1.ResourceMemory: resource.MustParse("50Mi"),
639669
},
640670
},
671+
SecurityContext: expectedContainerSecurityContext,
641672
},
642673
},
643674
InitContainers: []corev1.Container{
@@ -657,6 +688,7 @@ func TestConfigMapUnpacker(t *testing.T) {
657688
corev1.ResourceMemory: resource.MustParse("50Mi"),
658689
},
659690
},
691+
SecurityContext: expectedContainerSecurityContext,
660692
},
661693
{
662694
Name: "pull",
@@ -679,6 +711,7 @@ func TestConfigMapUnpacker(t *testing.T) {
679711
corev1.ResourceMemory: resource.MustParse("50Mi"),
680712
},
681713
},
714+
SecurityContext: expectedContainerSecurityContext,
682715
},
683716
},
684717
Volumes: []corev1.Volume{
@@ -826,7 +859,8 @@ func TestConfigMapUnpacker(t *testing.T) {
826859
Name: pathHash,
827860
},
828861
Spec: corev1.PodSpec{
829-
RestartPolicy: corev1.RestartPolicyNever,
862+
RestartPolicy: corev1.RestartPolicyNever,
863+
SecurityContext: expectedPodSecurityContext,
830864
Containers: []corev1.Container{
831865
{
832866
Name: "extract",
@@ -850,6 +884,7 @@ func TestConfigMapUnpacker(t *testing.T) {
850884
corev1.ResourceMemory: resource.MustParse("50Mi"),
851885
},
852886
},
887+
SecurityContext: expectedContainerSecurityContext,
853888
},
854889
},
855890
InitContainers: []corev1.Container{
@@ -869,6 +904,7 @@ func TestConfigMapUnpacker(t *testing.T) {
869904
corev1.ResourceMemory: resource.MustParse("50Mi"),
870905
},
871906
},
907+
SecurityContext: expectedContainerSecurityContext,
872908
},
873909
{
874910
Name: "pull",
@@ -891,6 +927,7 @@ func TestConfigMapUnpacker(t *testing.T) {
891927
corev1.ResourceMemory: resource.MustParse("50Mi"),
892928
},
893929
},
930+
SecurityContext: expectedContainerSecurityContext,
894931
},
895932
},
896933
Volumes: []corev1.Volume{
@@ -1008,7 +1045,8 @@ func TestConfigMapUnpacker(t *testing.T) {
10081045
Name: pathHash,
10091046
},
10101047
Spec: corev1.PodSpec{
1011-
RestartPolicy: corev1.RestartPolicyNever,
1048+
RestartPolicy: corev1.RestartPolicyNever,
1049+
SecurityContext: expectedPodSecurityContext,
10121050
Containers: []corev1.Container{
10131051
{
10141052
Name: "extract",
@@ -1032,6 +1070,7 @@ func TestConfigMapUnpacker(t *testing.T) {
10321070
corev1.ResourceMemory: resource.MustParse("50Mi"),
10331071
},
10341072
},
1073+
SecurityContext: expectedContainerSecurityContext,
10351074
},
10361075
},
10371076
InitContainers: []corev1.Container{
@@ -1051,6 +1090,7 @@ func TestConfigMapUnpacker(t *testing.T) {
10511090
corev1.ResourceMemory: resource.MustParse("50Mi"),
10521091
},
10531092
},
1093+
SecurityContext: expectedContainerSecurityContext,
10541094
},
10551095
{
10561096
Name: "pull",
@@ -1073,6 +1113,7 @@ func TestConfigMapUnpacker(t *testing.T) {
10731113
corev1.ResourceMemory: resource.MustParse("50Mi"),
10741114
},
10751115
},
1116+
SecurityContext: expectedContainerSecurityContext,
10761117
},
10771118
},
10781119
Volumes: []corev1.Volume{
@@ -1201,7 +1242,8 @@ func TestConfigMapUnpacker(t *testing.T) {
12011242
Name: pathHash,
12021243
},
12031244
Spec: corev1.PodSpec{
1204-
RestartPolicy: corev1.RestartPolicyNever,
1245+
RestartPolicy: corev1.RestartPolicyNever,
1246+
SecurityContext: expectedPodSecurityContext,
12051247
Containers: []corev1.Container{
12061248
{
12071249
Name: "extract",
@@ -1225,6 +1267,7 @@ func TestConfigMapUnpacker(t *testing.T) {
12251267
corev1.ResourceMemory: resource.MustParse("50Mi"),
12261268
},
12271269
},
1270+
SecurityContext: expectedContainerSecurityContext,
12281271
},
12291272
},
12301273
InitContainers: []corev1.Container{
@@ -1244,6 +1287,7 @@ func TestConfigMapUnpacker(t *testing.T) {
12441287
corev1.ResourceMemory: resource.MustParse("50Mi"),
12451288
},
12461289
},
1290+
SecurityContext: expectedContainerSecurityContext,
12471291
},
12481292
{
12491293
Name: "pull",
@@ -1266,6 +1310,7 @@ func TestConfigMapUnpacker(t *testing.T) {
12661310
corev1.ResourceMemory: resource.MustParse("50Mi"),
12671311
},
12681312
},
1313+
SecurityContext: expectedContainerSecurityContext,
12691314
},
12701315
},
12711316
Volumes: []corev1.Volume{

Diff for: pkg/controller/registry/reconciler/reconciler.go

+4-22
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"hash/fnv"
77
"strings"
88

9+
"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/security"
910
corev1 "k8s.io/api/core/v1"
1011
"k8s.io/apimachinery/pkg/api/resource"
1112
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -113,14 +114,6 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
113114
pullPolicy = corev1.PullAlways
114115
}
115116

116-
// Security context
117-
readOnlyRootFilesystem := false
118-
allowPrivilegeEscalation := false
119-
runAsNonRoot := true
120-
121-
// See: https://github.com/operator-framework/operator-registry/blob/master/Dockerfile#L27
122-
runAsUser := int64(1001)
123-
124117
pod := &corev1.Pod{
125118
ObjectMeta: metav1.ObjectMeta{
126119
GenerateName: source.GetName() + "-",
@@ -172,31 +165,20 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
172165
corev1.ResourceMemory: resource.MustParse("50Mi"),
173166
},
174167
},
175-
SecurityContext: &corev1.SecurityContext{
176-
ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
177-
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
178-
Capabilities: &corev1.Capabilities{
179-
Drop: []corev1.Capability{"ALL"},
180-
},
181-
},
182168
ImagePullPolicy: pullPolicy,
183169
TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
184170
},
185171
},
186-
SecurityContext: &corev1.PodSecurityContext{
187-
RunAsNonRoot: &runAsNonRoot,
188-
RunAsUser: &runAsUser,
189-
SeccompProfile: &corev1.SeccompProfile{
190-
Type: corev1.SeccompProfileTypeRuntimeDefault,
191-
},
192-
},
193172
NodeSelector: map[string]string{
194173
"kubernetes.io/os": "linux",
195174
},
196175
ServiceAccountName: saName,
197176
},
198177
}
199178

179+
// Apply Pod security
180+
security.ApplyPodSpecSecurity(&pod.Spec)
181+
200182
// Override scheduling options if specified
201183
if source.Spec.GrpcPodConfig != nil {
202184
grpcPodConfig := source.Spec.GrpcPodConfig

Diff for: pkg/controller/security/security.go

+35
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
package security
2+
3+
import corev1 "k8s.io/api/core/v1"
4+
5+
var readOnlyRootFilesystem = false
6+
var allowPrivilegeEscalation = false
7+
var runAsNonRoot = true
8+
var runAsUser int64 = 1001
9+
10+
var containerSecurityContext = &corev1.SecurityContext{
11+
ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
12+
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
13+
Capabilities: &corev1.Capabilities{
14+
Drop: []corev1.Capability{"ALL"},
15+
},
16+
}
17+
18+
var podSecurityContext = &corev1.PodSecurityContext{
19+
RunAsNonRoot: &runAsNonRoot,
20+
RunAsUser: &runAsUser,
21+
SeccompProfile: &corev1.SeccompProfile{
22+
Type: corev1.SeccompProfileTypeRuntimeDefault,
23+
},
24+
}
25+
26+
// ApplyPodSpecSecurity applies the standard security profile to a pod spec
27+
func ApplyPodSpecSecurity(spec *corev1.PodSpec) {
28+
spec.SecurityContext = podSecurityContext
29+
for idx := 0; idx < len(spec.Containers); idx++ {
30+
spec.Containers[idx].SecurityContext = containerSecurityContext
31+
}
32+
for idx := 0; idx < len(spec.InitContainers); idx++ {
33+
spec.InitContainers[idx].SecurityContext = containerSecurityContext
34+
}
35+
}

0 commit comments

Comments
 (0)