Skip to content

Commit

Permalink
add security context to placeholder pod
Browse files Browse the repository at this point in the history
  • Loading branch information
@OliverMKing
OliverMKing committed Apr 16, 2024
1 parent 664ad8d commit 87b6603
Show file tree
Hide file tree
Showing 2 changed files with 65 additions and 7 deletions.
21 changes: 18 additions & 3 deletions pkg/controller/keyvault/placeholder_pod.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ package keyvault
import (
"context"
"fmt"
"path"
"strconv"

"github.com/Azure/aks-app-routing-operator/api/v1alpha1"
"github.com/go-logr/logr"
appsv1 "k8s.io/api/apps/v1"
Expand All @@ -15,11 +18,9 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/tools/record"
"path"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
secv1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
"strconv"

"github.com/Azure/aks-app-routing-operator/pkg/config"
"github.com/Azure/aks-app-routing-operator/pkg/controller/controllername"
Expand Down Expand Up @@ -247,7 +248,7 @@ func (p *PlaceholderPodController) buildDeployment(ctx context.Context, dep *app
AutomountServiceAccountToken: util.ToPtr(false),
Containers: []corev1.Container{{
Name: "placeholder",
Image: path.Join(p.config.Registry, "/oss/kubernetes/pause:3.6-hotfix.20220114"),
Image: path.Join(p.config.Registry, "/oss/kubernetes/pause:3.9-hotfix-20230808"),
VolumeMounts: []corev1.VolumeMount{{
Name: "secrets",
MountPath: "/mnt/secrets",
Expand All @@ -259,6 +260,20 @@ func (p *PlaceholderPodController) buildDeployment(ctx context.Context, dep *app
corev1.ResourceMemory: resource.MustParse("24Mi"),
},
},
SecurityContext: &corev1.SecurityContext{
Privileged: util.ToPtr(false),
AllowPrivilegeEscalation: util.ToPtr(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
RunAsNonRoot: util.ToPtr(true),
RunAsUser: util.Int64Ptr(65535),
RunAsGroup: util.Int64Ptr(65535),
ReadOnlyRootFilesystem: util.ToPtr(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
}},
Volumes: []corev1.Volume{{
Name: "secrets",
Expand Down
51 changes: 47 additions & 4 deletions pkg/controller/keyvault/placeholder_pod_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,11 @@ package keyvault
import (
"context"
"fmt"
"testing"

"github.com/Azure/aks-app-routing-operator/api/v1alpha1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/client-go/tools/record"
"testing"

"k8s.io/apimachinery/pkg/api/errors"

Expand Down Expand Up @@ -152,7 +153,7 @@ func TestPlaceholderPodControllerIntegrationWithIng(t *testing.T) {
AutomountServiceAccountToken: util.ToPtr(false),
Containers: []corev1.Container{{
Name: "placeholder",
Image: "test-registry/oss/kubernetes/pause:3.6-hotfix.20220114",
Image: "test-registry/oss/kubernetes/pause:3.9-hotfix-20230808",
VolumeMounts: []corev1.VolumeMount{{
Name: "secrets",
MountPath: "/mnt/secrets",
Expand All @@ -164,6 +165,20 @@ func TestPlaceholderPodControllerIntegrationWithIng(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("24Mi"),
},
},
SecurityContext: &corev1.SecurityContext{
Privileged: util.ToPtr(false),
AllowPrivilegeEscalation: util.ToPtr(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
RunAsNonRoot: util.ToPtr(true),
RunAsUser: util.Int64Ptr(65535),
RunAsGroup: util.Int64Ptr(65535),
ReadOnlyRootFilesystem: util.ToPtr(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
}},
Volumes: []corev1.Volume{{
Name: "secrets",
Expand Down Expand Up @@ -302,7 +317,7 @@ func TestPlaceholderPodControllerIntegrationWithNic(t *testing.T) {
AutomountServiceAccountToken: util.ToPtr(false),
Containers: []corev1.Container{{
Name: "placeholder",
Image: "test-registry/oss/kubernetes/pause:3.6-hotfix.20220114",
Image: "test-registry/oss/kubernetes/pause:3.9-hotfix-20230808",
VolumeMounts: []corev1.VolumeMount{{
Name: "secrets",
MountPath: "/mnt/secrets",
Expand All @@ -314,6 +329,20 @@ func TestPlaceholderPodControllerIntegrationWithNic(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("24Mi"),
},
},
SecurityContext: &corev1.SecurityContext{
Privileged: util.ToPtr(false),
AllowPrivilegeEscalation: util.ToPtr(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
RunAsNonRoot: util.ToPtr(true),
RunAsUser: util.Int64Ptr(65535),
RunAsGroup: util.Int64Ptr(65535),
ReadOnlyRootFilesystem: util.ToPtr(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
}},
Volumes: []corev1.Volume{{
Name: "secrets",
Expand Down Expand Up @@ -459,7 +488,7 @@ func TestPlaceholderPodControllerNoManagedByLabels(t *testing.T) {
AutomountServiceAccountToken: util.ToPtr(false),
Containers: []corev1.Container{{
Name: "placeholder",
Image: "test-registry/oss/kubernetes/pause:3.6-hotfix.20220114",
Image: "test-registry/oss/kubernetes/pause:3.9-hotfix-20230808",
VolumeMounts: []corev1.VolumeMount{{
Name: "secrets",
MountPath: "/mnt/secrets",
Expand All @@ -471,6 +500,20 @@ func TestPlaceholderPodControllerNoManagedByLabels(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("24Mi"),
},
},
SecurityContext: &corev1.SecurityContext{
Privileged: util.ToPtr(false),
AllowPrivilegeEscalation: util.ToPtr(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
RunAsNonRoot: util.ToPtr(true),
RunAsUser: util.Int64Ptr(65535),
RunAsGroup: util.Int64Ptr(65535),
ReadOnlyRootFilesystem: util.ToPtr(true),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
}},
Volumes: []corev1.Volume{{
Name: "secrets",
Expand Down

0 comments on commit 87b6603

Please sign in to comment.