Skip to content

fix(cilium): run the cilium-operator as non-root#2437

Merged
devantler merged 1 commit into
mainfrom
claude/harden-cilium-operator-nonroot
Jul 4, 2026
Merged

fix(cilium): run the cilium-operator as non-root#2437
devantler merged 1 commit into
mainfrom
claude/harden-cilium-operator-nonroot

Conversation

@devantler

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Why

The Kubescape dashboard flags the cilium-operator as running as root (control C-0013, non-root containers). It's a control-plane controller with no host access and no need for root — its image just ships no USER, so it defaults to root.

What

Runs the cilium-operator only as a non-root user via the chart's operator securityContext values, so it passes C-0013. The cilium agent, envoy, hubble, clustermesh and spire (privileged by design) are untouched.

Promote with care: this is on the pinned pre-release CNI chart (1.20.0-pre.3), and an operator crash-loop would degrade the CNI control plane and SPIRE mTLS resync. readOnlyRootFilesystem was intentionally left off (unverified for the distroless operator image). Worth a live check that the operator pods come up healthy after rollout.

Part of #2435

The cilium-operator Deployment ran as root (the operator-generic image
ships no USER) and failed Kubescape control C-0013 (non-root containers).
It is a pure control-plane controller — it reads a read-only config-map and
the read-only SPIRE agent socket, has no host filesystem access and binds
only high ports — so it runs fine as non-root.

Add operator.securityContext (runAsNonRoot + runAsUser/runAsGroup:1000,
re-stating the chart-default drop-ALL capabilities and
allowPrivilegeEscalation:false because the chart helper replaces the map
wholesale rather than merging it) and operator.podSecurityContext
(runAsNonRoot + RuntimeDefault seccomp). This touches ONLY the
cilium-operator Deployment; the agent, envoy, hubble, clustermesh and spire
securityContexts (privileged by design) are unchanged. readOnlyRootFilesystem
is intentionally omitted (unverified for the distroless operator image).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This change adds security hardening configuration to the cilium-operator HelmRelease, introducing securityContext and podSecurityContext settings under spec.values.operator to enforce non-root execution (UID/GID 1000), disable privilege escalation, drop all capabilities, and set the seccomp profile to RuntimeDefault.

Changes

Cilium Operator Security Hardening

Layer / File(s) Summary
Non-root security context configuration
k8s/bases/infrastructure/controllers/cilium/helm-release.yaml
Adds operator.securityContext and operator.podSecurityContext to run cilium-operator as non-root (UID/GID 1000), disallow privilege escalation, drop all capabilities, and set seccompProfile to RuntimeDefault.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related issues

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly summarizes the main change: running the cilium-operator as non-root.
Description check ✅ Passed The description is directly related and accurately explains the cilium-operator non-root security change.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/harden-cilium-operator-nonroot

Comment @coderabbitai help to get the list of available commands.

@devantler devantler marked this pull request as ready for review July 4, 2026 12:52
@devantler devantler added this pull request to the merge queue Jul 4, 2026
Merged via the queue into main with commit 985b905 Jul 4, 2026
15 checks passed
@devantler devantler deleted the claude/harden-cilium-operator-nonroot branch July 4, 2026 16:33
@github-project-automation github-project-automation Bot moved this from 🫴 Ready to ✅ Done in 🌊 Project Board Jul 4, 2026
@botantler-1

botantler-1 Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 1.97.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@botantler-1 botantler-1 Bot added the released label Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

1 participant