diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml index 05740378ba..625c91f45c 100644 --- a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml @@ -21,10 +21,19 @@ spec: labels: app: package-server-manager spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount priorityClassName: "system-cluster-critical" containers: - name: package-server-manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] command: - /bin/psm - start diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.yaml index 7ae0413b0a..b72b7c2331 100644 --- a/manifests/0000_50_olm_06-psm-operator.deployment.yaml +++ b/manifests/0000_50_olm_06-psm-operator.deployment.yaml @@ -21,10 +21,19 @@ spec: labels: app: package-server-manager spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount priorityClassName: "system-cluster-critical" containers: - name: package-server-manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] command: - /bin/psm - start diff --git a/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml b/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml index 9960e1c38d..30919b1811 100644 --- a/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml +++ b/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml @@ -13,10 +13,19 @@ spec: spec: template: spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: collect-profiles priorityClassName: openshift-user-critical containers: - name: collect-profiles + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 imagePullPolicy: IfNotPresent command: diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml index 203389beeb..de4223c121 100644 --- a/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml @@ -21,6 +21,11 @@ spec: annotations: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount volumes: - name: srv-cert @@ -31,6 +36,10 @@ spec: secretName: pprof-cert containers: - name: olm-operator + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: srv-cert mountPath: "/srv-cert" diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.yaml index 232f3c3e0f..926346d917 100644 --- a/manifests/0000_50_olm_07-olm-operator.deployment.yaml +++ b/manifests/0000_50_olm_07-olm-operator.deployment.yaml @@ -21,6 +21,11 @@ spec: annotations: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount volumes: - name: srv-cert @@ -31,6 +36,10 @@ spec: secretName: pprof-cert containers: - name: olm-operator + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: srv-cert mountPath: "/srv-cert" diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml index 830bef1f58..3cb8dc802e 100644 --- a/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml @@ -21,6 +21,11 @@ spec: annotations: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount volumes: - name: srv-cert @@ -31,6 +36,10 @@ spec: secretName: pprof-cert containers: - name: catalog-operator + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: srv-cert mountPath: "/srv-cert" diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.yaml index 54cec129d9..023831bc12 100644 --- a/manifests/0000_50_olm_08-catalog-operator.deployment.yaml +++ b/manifests/0000_50_olm_08-catalog-operator.deployment.yaml @@ -21,6 +21,11 @@ spec: annotations: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount volumes: - name: srv-cert @@ -31,6 +36,10 @@ spec: secretName: pprof-cert containers: - name: catalog-operator + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: srv-cert mountPath: "/srv-cert" diff --git a/pkg/manifests/csv.yaml b/pkg/manifests/csv.yaml index 76ded267f5..d43b1fe652 100644 --- a/pkg/manifests/csv.yaml +++ b/pkg/manifests/csv.yaml @@ -88,6 +88,11 @@ spec: target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' creationTimestamp: null spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount nodeSelector: kubernetes.io/os: linux @@ -106,6 +111,10 @@ spec: tolerationSeconds: 120 containers: - name: packageserver + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] command: - /bin/package-server - -v=4 diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh index df6cabb105..5520bf8d13 100755 --- a/scripts/generate_crds_manifests.sh +++ b/scripts/generate_crds_manifests.sh @@ -114,10 +114,19 @@ spec: labels: app: package-server-manager spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount priorityClassName: "system-cluster-critical" containers: - name: package-server-manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] command: - /bin/psm - start @@ -262,10 +271,19 @@ spec: spec: template: spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: collect-profiles priorityClassName: openshift-user-critical containers: - name: collect-profiles + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 imagePullPolicy: IfNotPresent command: diff --git a/staging/operator-lifecycle-manager/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml b/staging/operator-lifecycle-manager/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml index b71fbebd0d..954233c739 100644 --- a/staging/operator-lifecycle-manager/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml +++ b/staging/operator-lifecycle-manager/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml @@ -17,6 +17,11 @@ spec: labels: app: olm-operator spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount {{- if or .Values.olm.tlsSecret .Values.olm.clientCASecret }} volumes: @@ -33,6 +38,10 @@ spec: {{- end }} containers: - name: olm-operator + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] {{- if or .Values.olm.tlsSecret .Values.olm.clientCASecret }} volumeMounts: {{- end }} diff --git a/staging/operator-lifecycle-manager/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml b/staging/operator-lifecycle-manager/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml index e71ffb38b1..8c6d4cc8cb 100644 --- a/staging/operator-lifecycle-manager/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml +++ b/staging/operator-lifecycle-manager/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml @@ -17,6 +17,11 @@ spec: labels: app: catalog-operator spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount {{- if or .Values.catalog.tlsSecret .Values.catalog.clientCASecret }} volumes: @@ -33,6 +38,10 @@ spec: {{- end }} containers: - name: catalog-operator + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] {{- if or .Values.catalog.tlsSecret .Values.catalog.clientCASecret }} volumeMounts: {{- end }} diff --git a/staging/operator-lifecycle-manager/deploy/chart/templates/_packageserver.deployment-spec.yaml b/staging/operator-lifecycle-manager/deploy/chart/templates/_packageserver.deployment-spec.yaml index 6121a85bb5..a244dcb1a6 100644 --- a/staging/operator-lifecycle-manager/deploy/chart/templates/_packageserver.deployment-spec.yaml +++ b/staging/operator-lifecycle-manager/deploy/chart/templates/_packageserver.deployment-spec.yaml @@ -14,6 +14,11 @@ spec: labels: app: packageserver spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount {{- if .Values.package.nodeSelector }} nodeSelector: @@ -25,6 +30,10 @@ spec: {{- end }} containers: - name: packageserver + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] command: - /bin/package-server - -v=4