feat: set the seccomp profile for artifact gc to runtimedefault

Signed-off-by: Lukas Hankeln <lukashankeln@googlemail.com>

workflow/common/security_context.go

@@ -0,0 +1,26 @@
+package common
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/pointer"
+)
+
+func ContainerSecurityContext() *corev1.SecurityContext {
+	return &corev1.SecurityContext{
+		Capabilities:             &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}},
+		Privileged:               pointer.Bool(false),
+		RunAsNonRoot:             pointer.Bool(true),
+		RunAsUser:                pointer.Int64(8737),
+		ReadOnlyRootFilesystem:   pointer.Bool(true),
+		AllowPrivilegeEscalation: pointer.Bool(false),
+		SeccompProfile:           &corev1.SeccompProfile{Type: "RuntimeDefault"},
+	}
+}
+
+func PodSecurityContext() *corev1.PodSecurityContext {
+	return &corev1.PodSecurityContext{
+		RunAsNonRoot:   pointer.Bool(true),
+		RunAsUser:      pointer.Int64(8737),
+		SeccompProfile: &corev1.SeccompProfile{Type: "RuntimeDefault"},
+	}
+}

workflow/controller/agent.go

@@ -174,15 +174,7 @@ func (woc *wfOperationCtx) createAgentPod(ctx context.Context) (*apiv1.Pod, erro
 		Image:           woc.controller.executorImage(),
 		ImagePullPolicy: woc.controller.executorImagePullPolicy(),
 		Env:             envVars,
-		SecurityContext: &apiv1.SecurityContext{
-			Capabilities: &apiv1.Capabilities{
-				Drop: []apiv1.Capability{"ALL"},
-			},
-			RunAsNonRoot:             pointer.Bool(true),
-			RunAsUser:                pointer.Int64(8737),
-			ReadOnlyRootFilesystem:   pointer.Bool(true),
-			AllowPrivilegeEscalation: pointer.Bool(false),
-		},
+		SecurityContext: common.ContainerSecurityContext(),
 		Resources: apiv1.ResourceRequirements{
 			Requests: map[apiv1.ResourceName]resource.Quantity{
 				"cpu":    resource.MustParse("10m"),
@@ -221,12 +213,9 @@ func (woc *wfOperationCtx) createAgentPod(ctx context.Context) (*apiv1.Pod, erro
 			},
 		},
 		Spec: apiv1.PodSpec{
-			RestartPolicy:    apiv1.RestartPolicyOnFailure,
-			ImagePullSecrets: woc.execWf.Spec.ImagePullSecrets,
-			SecurityContext: &apiv1.PodSecurityContext{
-				RunAsNonRoot: pointer.Bool(true),
-				RunAsUser:    pointer.Int64(8737),
-			},
+			RestartPolicy:                apiv1.RestartPolicyOnFailure,
+			ImagePullSecrets:             woc.execWf.Spec.ImagePullSecrets,
+			SecurityContext:              common.PodSecurityContext(),
 			ServiceAccountName:           serviceAccountName,
 			AutomountServiceAccountToken: pointer.Bool(false),
 			Volumes:                      podVolumes,

workflow/controller/artifact_gc.go

@@ -431,7 +431,8 @@ func (woc *wfOperationCtx) createArtifactGCPod(ctx context.Context, strategy wfv
 			OwnerReferences: ownerReferences,
 		},
 		Spec: corev1.PodSpec{
-			Volumes: volumes,
+			Volumes:         volumes,
+			SecurityContext: common.PodSecurityContext(),
 			Containers: []corev1.Container{
 				{
 					Name:            common.MainContainerName,
@@ -444,14 +445,7 @@ func (woc *wfOperationCtx) createArtifactGCPod(ctx context.Context, strategy wfv
 					// if this pod is breached by an attacker we:
 					// * prevent installation of any new packages
 					// * modification of the file-system
-					SecurityContext: &corev1.SecurityContext{
-						Capabilities:             &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}},
-						Privileged:               pointer.Bool(false),
-						RunAsNonRoot:             pointer.Bool(true),
-						RunAsUser:                pointer.Int64(8737),
-						ReadOnlyRootFilesystem:   pointer.Bool(true),
-						AllowPrivilegeEscalation: pointer.Bool(false),
-					},
+					SecurityContext: common.ContainerSecurityContext(),
 					// if this pod is breached by an attacker these limits prevent excessive CPU and memory usage
 					Resources: corev1.ResourceRequirements{
 						Limits: map[corev1.ResourceName]resource.Quantity{