Merge pull request #401 from zaneb/container-capabilities

OCPBUGS-27145: Drop unneccessary capabilities
openshift · May 7, 2024 · 4a57b9c · 4a57b9c
2 parents b019df5 + 09f1384
commit 4a57b9c
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 2 deletions.
diff --git a/provisioning/baremetal_pod.go b/provisioning/baremetal_pod.go
@@ -358,6 +358,9 @@ func createInitContainerMachineOsDownloader(info *ProvisioningInfo, imageURLs st
 		SecurityContext: &corev1.SecurityContext{
 			// Needed for hostPath image volume mount
 			Privileged: pointer.BoolPtr(true),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
 		},
 		VolumeMounts: []corev1.VolumeMount{imageVolumeMount},
 		Env:          env,
@@ -380,7 +383,8 @@ func createInitContainerStaticIpSet(images *Images, config *metal3iov1alpha1.Pro
 		ImagePullPolicy: "IfNotPresent",
 		SecurityContext: &corev1.SecurityContext{
 			Capabilities: &corev1.Capabilities{
-				Add: []corev1.Capability{"NET_ADMIN"},
+				Drop: []corev1.Capability{"ALL"},
+				Add:  []corev1.Capability{"NET_ADMIN"},
 			},
 		},
 		Env: []corev1.EnvVar{
@@ -464,6 +468,14 @@ func createContainerMetal3Dnsmasq(images *Images, config *metal3iov1alpha1.Provi
 		SecurityContext: &corev1.SecurityContext{
 			// Needed for hostPath image volume mount
 			Privileged: pointer.BoolPtr(true),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+				Add: []corev1.Capability{
+					"NET_ADMIN",
+					"NET_RAW",
+					"NET_BIND_SERVICE",
+				},
+			},
 		},
 		Command: []string{"/bin/rundnsmasq"},
 		VolumeMounts: []corev1.VolumeMount{
@@ -539,6 +551,9 @@ func createContainerMetal3Httpd(images *Images, config *metal3iov1alpha1.Provisi
 		SecurityContext: &corev1.SecurityContext{
 			// Needed for hostPath image volume mount
 			Privileged: pointer.BoolPtr(true),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
 		},
 		Command:      []string{"/bin/runhttpd"},
 		VolumeMounts: volumes,
@@ -613,6 +628,9 @@ func createContainerMetal3Ironic(images *Images, info *ProvisioningInfo, config
 		SecurityContext: &corev1.SecurityContext{
 			// Needed for hostPath image volume mount
 			Privileged: pointer.BoolPtr(true),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
 		},
 		Command:      []string{"/bin/runironic"},
 		VolumeMounts: volumes,
@@ -738,6 +756,13 @@ func createContainerMetal3StaticIpManager(images *Images, config *metal3iov1alph
 		SecurityContext: &corev1.SecurityContext{
 			// Needed for mounting /proc to set the addr_gen_mode
 			Privileged: pointer.BoolPtr(true),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+				Add: []corev1.Capability{
+					"NET_ADMIN",
+					"FOWNER", // Needed for setting the addr_gen_mode
+				},
+			},
 		},
 		Env: []corev1.EnvVar{
 			buildEnvVar(provisioningIP, config),

diff --git a/provisioning/image_cache.go b/provisioning/image_cache.go
@@ -95,6 +95,9 @@ func createContainerImageCache(images *Images) corev1.Container {
 		SecurityContext: &corev1.SecurityContext{
 			// Needed for hostPath image volume mount
 			Privileged: pointer.BoolPtr(true),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
 		},
 		Command:      []string{"/bin/runhttpd"},
 		VolumeMounts: []corev1.VolumeMount{imageVolumeMount},

diff --git a/provisioning/image_customization.go b/provisioning/image_customization.go
@@ -102,6 +102,9 @@ func createImageCustomizationContainer(images *Images, info *ProvisioningInfo, i
 		SecurityContext: &corev1.SecurityContext{
 			// Needed for hostPath image volume mount
 			Privileged: pointer.BoolPtr(true),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
 		},
 		VolumeMounts: []corev1.VolumeMount{
 			imageRegistriesVolumeMount,

diff --git a/provisioning/ironic_proxy.go b/provisioning/ironic_proxy.go
@@ -42,7 +42,8 @@ func createContainerIronicProxy(ironicIP string, images *Images) corev1.Containe
 		ImagePullPolicy: corev1.PullIfNotPresent,
 		SecurityContext: &corev1.SecurityContext{
 			Capabilities: &corev1.Capabilities{
-				Add: []corev1.Capability{"FOWNER"},
+				Drop: []corev1.Capability{"ALL"},
+				Add:  []corev1.Capability{"FOWNER"},
 			},
 		},
 		Command: []string{"/bin/runironic-proxy"},

diff --git a/provisioning/machine_os_images.go b/provisioning/machine_os_images.go
@@ -35,6 +35,9 @@ func createInitContainerMachineOSImages(info *ProvisioningInfo, whichImages stri
 		SecurityContext: &corev1.SecurityContext{
 			// Needed for hostPath image volume mount
 			Privileged: pointer.BoolPtr(true),
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
 		},
 		TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
 	}