From 26b20611d6e365a138255b8e0f67256f1428a064 Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Fri, 29 Apr 2022 17:02:46 +0200 Subject: [PATCH 1/3] manifests/*: comply to restricted pod security level --- ...-operator.deployment.ibm-cloud-managed.yaml | 9 +++++++++ ...0000_50_olm_06-psm-operator.deployment.yaml | 9 +++++++++ ...000_50_olm_07-collect-profiles.cronjob.yaml | 9 +++++++++ ...-operator.deployment.ibm-cloud-managed.yaml | 9 +++++++++ ...0000_50_olm_07-olm-operator.deployment.yaml | 9 +++++++++ ...-operator.deployment.ibm-cloud-managed.yaml | 9 +++++++++ ..._50_olm_08-catalog-operator.deployment.yaml | 9 +++++++++ pkg/manifests/csv.yaml | 9 +++++++++ scripts/generate_crds_manifests.sh | 18 ++++++++++++++++++ 9 files changed, 90 insertions(+) diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml index 05740378ba..625c91f45c 100644 --- a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml @@ -21,10 +21,19 @@ spec: labels: app: package-server-manager spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount priorityClassName: "system-cluster-critical" containers: - name: package-server-manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] command: - /bin/psm - start diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.yaml index 7ae0413b0a..b72b7c2331 100644 --- a/manifests/0000_50_olm_06-psm-operator.deployment.yaml +++ b/manifests/0000_50_olm_06-psm-operator.deployment.yaml @@ -21,10 +21,19 @@ spec: labels: app: package-server-manager spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount priorityClassName: "system-cluster-critical" containers: - name: package-server-manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] command: - /bin/psm - start diff --git a/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml b/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml index 9960e1c38d..30919b1811 100644 --- a/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml +++ b/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml @@ -13,10 +13,19 @@ spec: spec: template: spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: collect-profiles priorityClassName: openshift-user-critical containers: - name: collect-profiles + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 imagePullPolicy: IfNotPresent command: diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml index 203389beeb..bfe0877910 100644 --- a/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml @@ -82,6 +82,10 @@ spec: requests: cpu: 10m memory: 160Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] nodeSelector: kubernetes.io/os: linux tolerations: @@ -97,3 +101,8 @@ spec: operator: Exists tolerationSeconds: 120 priorityClassName: system-cluster-critical + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.yaml index 232f3c3e0f..c4b5816d0c 100644 --- a/manifests/0000_50_olm_07-olm-operator.deployment.yaml +++ b/manifests/0000_50_olm_07-olm-operator.deployment.yaml @@ -82,6 +82,10 @@ spec: requests: cpu: 10m memory: 160Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/master: "" @@ -98,3 +102,8 @@ spec: operator: Exists tolerationSeconds: 120 priorityClassName: system-cluster-critical + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml index 830bef1f58..8149feec7e 100644 --- a/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml +++ b/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml @@ -78,6 +78,10 @@ spec: env: - name: RELEASE_VERSION value: "0.0.1-snapshot" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] nodeSelector: kubernetes.io/os: linux tolerations: @@ -93,3 +97,8 @@ spec: operator: Exists tolerationSeconds: 120 priorityClassName: system-cluster-critical + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.yaml index 54cec129d9..c44901b064 100644 --- a/manifests/0000_50_olm_08-catalog-operator.deployment.yaml +++ b/manifests/0000_50_olm_08-catalog-operator.deployment.yaml @@ -78,6 +78,10 @@ spec: env: - name: RELEASE_VERSION value: "0.0.1-snapshot" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] nodeSelector: kubernetes.io/os: linux node-role.kubernetes.io/master: "" @@ -94,3 +98,8 @@ spec: operator: Exists tolerationSeconds: 120 priorityClassName: system-cluster-critical + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault diff --git a/pkg/manifests/csv.yaml b/pkg/manifests/csv.yaml index 76ded267f5..6b0c595719 100644 --- a/pkg/manifests/csv.yaml +++ b/pkg/manifests/csv.yaml @@ -136,6 +136,10 @@ spec: volumeMounts: - name: tmpfs mountPath: /tmp + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumes: - name: tmpfs emptyDir: {} @@ -150,6 +154,11 @@ spec: values: - packageserver topologyKey: "kubernetes.io/hostname" + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault maturity: alpha version: 0.19.0 apiservicedefinitions: diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh index df6cabb105..5520bf8d13 100755 --- a/scripts/generate_crds_manifests.sh +++ b/scripts/generate_crds_manifests.sh @@ -114,10 +114,19 @@ spec: labels: app: package-server-manager spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount priorityClassName: "system-cluster-critical" containers: - name: package-server-manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] command: - /bin/psm - start @@ -262,10 +271,19 @@ spec: spec: template: spec: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: collect-profiles priorityClassName: openshift-user-critical containers: - name: collect-profiles + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607 imagePullPolicy: IfNotPresent command: From b5b49fe3919174c3985c0c6775b76afc290d3bbc Mon Sep 17 00:00:00 2001 From: timflannagan Date: Mon, 2 May 2022 12:26:55 -0400 Subject: [PATCH 2/3] scripts: Add downstream-only patches for custom Pod securityContext configurations Signed-off-by: timflannagan --- scripts/catalog-deployment.patch.yaml | 13 +++++++++++++ scripts/olm-deployment.patch.yaml | 13 +++++++++++++ scripts/packageserver-deployment.patch.yaml | 13 +++++++++++++ 3 files changed, 39 insertions(+) diff --git a/scripts/catalog-deployment.patch.yaml b/scripts/catalog-deployment.patch.yaml index dbf206cfe4..de1abc8eaa 100644 --- a/scripts/catalog-deployment.patch.yaml +++ b/scripts/catalog-deployment.patch.yaml @@ -9,3 +9,16 @@ value: name: RELEASE_VERSION value: "0.0.1-snapshot" +- command: update + path: spec.template.spec.containers[*].securityContext + value: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] +- command: update + path: spec.template.spec.securityContext + value: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault diff --git a/scripts/olm-deployment.patch.yaml b/scripts/olm-deployment.patch.yaml index dbf206cfe4..de1abc8eaa 100644 --- a/scripts/olm-deployment.patch.yaml +++ b/scripts/olm-deployment.patch.yaml @@ -9,3 +9,16 @@ value: name: RELEASE_VERSION value: "0.0.1-snapshot" +- command: update + path: spec.template.spec.containers[*].securityContext + value: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] +- command: update + path: spec.template.spec.securityContext + value: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault diff --git a/scripts/packageserver-deployment.patch.yaml b/scripts/packageserver-deployment.patch.yaml index 18b03a4280..2cbcafb037 100644 --- a/scripts/packageserver-deployment.patch.yaml +++ b/scripts/packageserver-deployment.patch.yaml @@ -33,3 +33,16 @@ values: - packageserver topologyKey: "kubernetes.io/hostname" +- command: update + path: spec.install.spec.deployments[0].spec.template.spec.containers[*].securityContext + value: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] +- command: update + path: spec.install.spec.deployments[0].spec.template.spec.securityContext + value: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault From 801683a821be624dba1b9be8558a1448dceba859 Mon Sep 17 00:00:00 2001 From: timflannagan Date: Mon, 9 May 2022 10:05:37 -0400 Subject: [PATCH 3/3] scripts,manifests: Remove the RunAsUser security context for the collect-profiles CronJob Signed-off-by: timflannagan --- manifests/0000_50_olm_07-collect-profiles.cronjob.yaml | 1 - scripts/generate_crds_manifests.sh | 1 - 2 files changed, 2 deletions(-) diff --git a/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml b/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml index 30919b1811..7e297c6b6e 100644 --- a/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml +++ b/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml @@ -15,7 +15,6 @@ spec: spec: securityContext: runAsNonRoot: true - runAsUser: 65534 seccompProfile: type: RuntimeDefault serviceAccountName: collect-profiles diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh index 5520bf8d13..dc8565ddfc 100755 --- a/scripts/generate_crds_manifests.sh +++ b/scripts/generate_crds_manifests.sh @@ -273,7 +273,6 @@ spec: spec: securityContext: runAsNonRoot: true - runAsUser: 65534 seccompProfile: type: RuntimeDefault serviceAccountName: collect-profiles