Skip to content

Add securityContext to skupper-router deployment #2327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
fgiorgetti wants to merge 3 commits into
base: main
Choose a base branch
from
+46 −10
Open

Add securityContext to skupper-router deployment #2327

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0bba6f6
Add securityContext to skupper-router deployment
fgiorgetti Nov 25, 2025
c2f6b69
Removed seccompProfile from default security context definitions
fgiorgetti Dec 26, 2025
c1a04fd
Add flag to disable default security context values
fgiorgetti Dec 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions internal/kube/controller/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ type Config struct {
WatchNamespace string
Name string
RequireExplicitControl bool
DisableSecurityContext bool
}

func (c *Config) WatchingAllNamespaces() bool {
Expand Down Expand Up @@ -55,5 +56,6 @@ func BoundConfig(flags *flag.FlagSet) (*Config, error) {
iflag.StringVar(flags, &c.WatchNamespace, "watch-namespace", "WATCH_NAMESPACE", metav1.NamespaceAll, "The Kubernetes namespace the controller should monitor for controlled resources (will monitor all if not specified)")
iflag.StringVar(flags, &c.Name, "name", "CONTROLLER_NAME", "", "A name identifying the controller. If not specified it will be deduced from the hostname.")
iflag.BoolVar(flags, &c.RequireExplicitControl, "require-explicit-control", "REQUIRE_EXPLICIT_CONTROL", false, "If set, this controller instance will only process resources in which there is a ConfigMap named skupper with an entry 'controller' whose value matches the controller's namespace qualified name. Controllers watching a single namespace require that ConfigMap regardless of this setting.")
iflag.BoolVar(flags, &c.DisableSecurityContext, "disable-security-context", "DISABLE_SECURITY_CONTEXT", false, "If set, the default security context definitions won't be set to the skupper-router deployment's pod and containers.")
return c, nil
}
4 changes: 3 additions & 1 deletion internal/kube/controller/controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ type Controller struct {
labelling *labels.LabelsAndAnnotations
labellingWatcher *watchers.ConfigMapWatcher
attachableConnectors map[string]*skupperv2alpha1.AttachedConnector
disableSecContext bool
log *slog.Logger
namespaces *NamespaceConfig
}
Expand Down Expand Up @@ -93,6 +94,7 @@ func NewController(cli internalclient.Clients, config *Config) (*Controller, err
labelling: labels.NewLabelsAndAnnotations(config.Namespace),
attachableConnectors: map[string]*skupperv2alpha1.AttachedConnector{},
log: slog.New(slog.Default().Handler()).With(slog.String("component", "kube.controller")),
disableSecContext: config.DisableSecurityContext,
}

hostname := os.Getenv("HOSTNAME")
Expand Down Expand Up @@ -320,7 +322,7 @@ func (c *Controller) getSite(namespace string) *site.Site {
if existing, ok := c.sites[namespace]; ok {
return existing
}
site := site.NewSite(namespace, c.eventProcessor, c.certMgr, c.accessMgr, c.siteSizing, c)
site := site.NewSite(namespace, c.eventProcessor, c.certMgr, c.accessMgr, c.siteSizing, c, c.disableSecContext)
c.sites[namespace] = site
return site
}
Expand Down
14 changes: 8 additions & 6 deletions internal/kube/site/resources/apply.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,12 @@ type Labelling interface {
SetAnnotations(namespace string, name string, kind string, annotations map[string]string) bool
}

func resourceTemplates(site *skupperv2alpha1.Site, group string, size sizing.Sizing, labelling Labelling) []resource.Template {
func resourceTemplates(site *skupperv2alpha1.Site, group string, size sizing.Sizing, labelling Labelling, disableSecCtx bool) []resource.Template {
templates := []resource.Template{
{
Name: "deployment",
Template: routerDeploymentTemplate,
Parameters: getCoreParams(site, group, size).setLabelsAndAnnotations(labelling, site.Namespace, "skupper-router", "Deployment"),
Parameters: getCoreParams(site, group, size, disableSecCtx).setLabelsAndAnnotations(labelling, site.Namespace, "skupper-router", "Deployment"),
Resource: schema.GroupVersionResource{
Group: "apps",
Version: "v1",
Expand All @@ -44,7 +44,7 @@ func resourceTemplates(site *skupperv2alpha1.Site, group string, size sizing.Siz
{
Name: "localService",
Template: routerLocalServiceTemplate,
Parameters: getCoreParams(site, group, size).setLabelsAndAnnotations(labelling, site.Namespace, "skupper-router-local", "Service"),
Parameters: getCoreParams(site, group, size, disableSecCtx).setLabelsAndAnnotations(labelling, site.Namespace, "skupper-router-local", "Service"),
Resource: schema.GroupVersionResource{
Group: "",
Version: "v1",
Expand All @@ -68,6 +68,7 @@ type CoreParams struct {
Labels map[string]string
Annotations map[string]string
EnableAntiAffinity bool
DisableSecCtx bool
}

func (p *CoreParams) setLabelsAndAnnotations(labelling Labelling, namespace string, name string, kind string) *CoreParams {
Expand Down Expand Up @@ -149,7 +150,7 @@ func configDigest(config *skupperv2alpha1.SiteSpec) string {
return ""
}

func getCoreParams(site *skupperv2alpha1.Site, group string, size sizing.Sizing) *CoreParams {
func getCoreParams(site *skupperv2alpha1.Site, group string, size sizing.Sizing, disableSecCtx bool) *CoreParams {
return &CoreParams{
SiteId: site.GetSiteId(),
SiteName: site.Name,
Expand All @@ -162,11 +163,12 @@ func getCoreParams(site *skupperv2alpha1.Site, group string, size sizing.Sizing)
Sizing: size,
Labels: map[string]string{},
EnableAntiAffinity: enableAntiAffinity(site),
DisableSecCtx: disableSecCtx,
}
}

func Apply(clients internalclient.Clients, ctx context.Context, site *skupperv2alpha1.Site, group string, size sizing.Sizing, labelling Labelling) error {
for _, t := range resourceTemplates(site, group, size, labelling) {
func Apply(clients internalclient.Clients, ctx context.Context, site *skupperv2alpha1.Site, group string, size sizing.Sizing, labelling Labelling, disableSecCtx bool) error {
for _, t := range resourceTemplates(site, group, size, labelling, disableSecCtx) {
_, err := t.Apply(clients.GetDynamicClient(), ctx, site.Namespace)
if err != nil {
return err
Expand Down
28 changes: 28 additions & 0 deletions internal/kube/site/resources/skupper-router-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,14 @@ spec:
successThreshold: 1
timeoutSeconds: 1
name: router
{{- if not .DisableSecCtx }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
{{- end }}
ports:
- containerPort: 5671
name: amqps
Expand Down Expand Up @@ -125,6 +133,14 @@ spec:
image: {{ .AdaptorImage.Name }}
imagePullPolicy: {{ .AdaptorImage.PullPolicy }}
name: kube-adaptor
{{- if not .DisableSecCtx }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
{{- end }}
readinessProbe:
failureThreshold: 3
httpGet:
Expand Down Expand Up @@ -152,6 +168,14 @@ spec:
image: {{ .AdaptorImage.Name }}
imagePullPolicy: {{ .AdaptorImage.PullPolicy }}
name: config-init
{{- if not .DisableSecCtx }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
{{- end }}
command: ["/app/kube-adaptor", "-init"]
volumeMounts:
- mountPath: /etc/skupper-router-certs
Expand All @@ -163,6 +187,10 @@ spec:
volumes:
- emptyDir: {}
name: skupper-router-certs
{{- if not .DisableSecCtx }}
securityContext:
runAsNonRoot: true
{{- end }}
{{- if .EnableAntiAffinity}}
affinity:
podAntiAffinity:
Expand Down
8 changes: 5 additions & 3 deletions internal/kube/site/site.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,10 @@ type Site struct {
currentGroups []string
labelling Labelling
profiles *secrets.ProfilesWatcher
disableSecCtx bool
}

func NewSite(namespace string, eventProcessor *watchers.EventProcessor, certs certificates.CertificateManager, access SecuredAccessFactory, sizes *sizing.Registry, labelling Labelling) *Site {
func NewSite(namespace string, eventProcessor *watchers.EventProcessor, certs certificates.CertificateManager, access SecuredAccessFactory, sizes *sizing.Registry, labelling Labelling, disableSecCtx bool) *Site {
logger := slog.New(slog.Default().Handler())
site := &Site{
bindings: NewExtendedBindings(eventProcessor, SSL_PROFILE_PATH),
Expand All @@ -78,7 +79,8 @@ func NewSite(namespace string, eventProcessor *watchers.EventProcessor, certs ce
logger: logger.With(
slog.String("component", "kube.site.site"),
),
labelling: labelling,
labelling: labelling,
disableSecCtx: disableSecCtx,
}
site.profiles = secrets.NewProfilesWatcher(
sslSecretsWatcher(namespace, eventProcessor),
Expand Down Expand Up @@ -232,7 +234,7 @@ func (s *Site) reconcile(siteDef *skupperv2alpha1.Site, inRecovery bool) error {
)
}
for _, group := range s.groups() {
if err := resources.Apply(s.clients, ctxt, s.site, group, size, s.labelling); err != nil {
if err := resources.Apply(s.clients, ctxt, s.site, group, size, s.labelling, s.disableSecCtx); err != nil {
return err
}
}
Expand Down