diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml index 05740378ba..625c91f45c 100644 --- a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml @@ -21,10 +21,19 @@ spec: labels: app: package-server-manager spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount priorityClassName: "system-cluster-critical" containers: - name: package-server-manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] command: - /bin/psm - start diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.yaml index 7ae0413b0a..b72b7c2331 100644 --- a/manifests/0000_50_olm_06-psm-operator.deployment.yaml +++ b/manifests/0000_50_olm_06-psm-operator.deployment.yaml @@ -21,10 +21,19 @@ spec: labels: app: package-server-manager spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount priorityClassName: "system-cluster-critical" containers: - name: package-server-manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] command: - /bin/psm - start diff --git a/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml b/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml index 9960e1c38d..7e297c6b6e 100644 --- a/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml +++ b/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml @@ -13,10 +13,18 @@ spec: spec: template: spec: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: collect-profiles priorityClassName: openshift-user-critical containers: - name: collect-profiles + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 imagePullPolicy: IfNotPresent command: diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml index 203389beeb..bfe0877910 100644 --- a/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml @@ -82,6 +82,10 @@ spec: requests: cpu: 10m memory: 160Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] nodeSelector: kubernetes.io/os: linux tolerations: @@ -97,3 +101,8 @@ spec: operator: Exists tolerationSeconds: 120 priorityClassName: system-cluster-critical + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.yaml index 232f3c3e0f..c4b5816d0c 100644 --- a/manifests/0000_50_olm_07-olm-operator.deployment.yaml +++ b/manifests/0000_50_olm_07-olm-operator.deployment.yaml @@ -82,6 +82,10 @@ spec: requests: cpu: 10m memory: 160Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/master: "" @@ -98,3 +102,8 @@ spec: operator: Exists tolerationSeconds: 120 priorityClassName: system-cluster-critical + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml index 830bef1f58..8149feec7e 100644 --- a/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml @@ -78,6 +78,10 @@ spec: env: - name: RELEASE_VERSION value: "0.0.1-snapshot" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] nodeSelector: kubernetes.io/os: linux tolerations: @@ -93,3 +97,8 @@ spec: operator: Exists tolerationSeconds: 120 priorityClassName: system-cluster-critical + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.yaml index 54cec129d9..c44901b064 100644 --- a/manifests/0000_50_olm_08-catalog-operator.deployment.yaml +++ b/manifests/0000_50_olm_08-catalog-operator.deployment.yaml @@ -78,6 +78,10 @@ spec: env: - name: RELEASE_VERSION value: "0.0.1-snapshot" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/master: "" @@ -94,3 +98,8 @@ spec: operator: Exists tolerationSeconds: 120 priorityClassName: system-cluster-critical + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault diff --git a/pkg/manifests/csv.yaml b/pkg/manifests/csv.yaml index 76ded267f5..6b0c595719 100644 --- a/pkg/manifests/csv.yaml +++ b/pkg/manifests/csv.yaml @@ -136,6 +136,10 @@ spec: volumeMounts: - name: tmpfs mountPath: /tmp + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumes: - name: tmpfs emptyDir: {} @@ -150,6 +154,11 @@ spec: values: - packageserver topologyKey: "kubernetes.io/hostname" + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault maturity: alpha version: 0.19.0 apiservicedefinitions: diff --git a/scripts/catalog-deployment.patch.yaml b/scripts/catalog-deployment.patch.yaml index dbf206cfe4..de1abc8eaa 100644 --- a/scripts/catalog-deployment.patch.yaml +++ b/scripts/catalog-deployment.patch.yaml @@ -9,3 +9,16 @@ value: name: RELEASE_VERSION value: "0.0.1-snapshot" +- command: update + path: spec.template.spec.containers[*].securityContext + value: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] +- command: update + path: spec.template.spec.securityContext + value: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh index df6cabb105..dc8565ddfc 100755 --- a/scripts/generate_crds_manifests.sh +++ b/scripts/generate_crds_manifests.sh @@ -114,10 +114,19 @@ spec: labels: app: package-server-manager spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount priorityClassName: "system-cluster-critical" containers: - name: package-server-manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] command: - /bin/psm - start @@ -262,10 +271,18 @@ spec: spec: template: spec: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: collect-profiles priorityClassName: openshift-user-critical containers: - name: collect-profiles + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 imagePullPolicy: IfNotPresent command: diff --git a/scripts/olm-deployment.patch.yaml b/scripts/olm-deployment.patch.yaml index dbf206cfe4..de1abc8eaa 100644 --- a/scripts/olm-deployment.patch.yaml +++ b/scripts/olm-deployment.patch.yaml @@ -9,3 +9,16 @@ value: name: RELEASE_VERSION value: "0.0.1-snapshot" +- command: update + path: spec.template.spec.containers[*].securityContext + value: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] +- command: update + path: spec.template.spec.securityContext + value: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault diff --git a/scripts/packageserver-deployment.patch.yaml b/scripts/packageserver-deployment.patch.yaml index 18b03a4280..2cbcafb037 100644 --- a/scripts/packageserver-deployment.patch.yaml +++ b/scripts/packageserver-deployment.patch.yaml @@ -33,3 +33,16 @@ values: - packageserver topologyKey: "kubernetes.io/hostname" +- command: update + path: spec.install.spec.deployments[0].spec.template.spec.containers[*].securityContext + value: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] +- command: update + path: spec.install.spec.deployments[0].spec.template.spec.securityContext + value: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault