Merge pull request #3311 from openshift-cherrypick-robot/cherry-pick-…

…3284-to-release-4.15 [release-4.15] ACM-8466: Add Kubernetes SCC V2 options to HO containers
openshift · Dec 13, 2023 · 5d44000 · 5d44000
2 parents f8375d5 + 9bc3f13
commit 5d44000
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/cmd/install/assets/hypershift_operator.go b/cmd/install/assets/hypershift_operator.go
@@ -47,6 +47,14 @@ var (
 	// allowPrivilegeEscalation is used to set the status of the
 	// privilegeEscalation on SeccompProfile
 	allowPrivilegeEscalation = false
+
+	// readOnlyRootFilesystem is used to set the container security
+	// context to mount the root filesystem as read-only.
+	readOnlyRootFilesystem = true
+
+	// privileged is used to set the container security
+	// context to run container as unprivileged.
+	privileged = false
 )
 
 type HyperShiftNamespace struct {
@@ -233,6 +241,10 @@ func (o ExternalDNSDeployment) Build() *appsv1.Deployment {
 									corev1.ResourceCPU:    resource.MustParse("5m"),
 								},
 							},
+							SecurityContext: &corev1.SecurityContext{
+								ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
+								Privileged:             &privileged,
+							},
 							VolumeMounts: []corev1.VolumeMount{
 								{
 									Name:      "credentials",
@@ -562,7 +574,9 @@ func (o HyperShiftOperatorDeployment) Build() *appsv1.Deployment {
 							Command:         []string{"/usr/bin/hypershift-operator"},
 							Args:            []string{"init"},
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: k8sutilspointer.Int64(1000),
+								RunAsUser:              k8sutilspointer.Int64(1000),
+								ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
+								Privileged:             &privileged,
 							},
 							VolumeMounts: initVolumeMounts,
 						},
@@ -582,6 +596,8 @@ func (o HyperShiftOperatorDeployment) Build() *appsv1.Deployment {
 								SeccompProfile: &corev1.SeccompProfile{
 									Type: corev1.SeccompProfileTypeRuntimeDefault,
 								},
+								ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
+								Privileged:             &privileged,
 							},
 							Image:           image,
 							ImagePullPolicy: corev1.PullIfNotPresent,

diff --git a/hack/app-sre/saas_template.yaml b/hack/app-sre/saas_template.yaml
@@ -414,6 +414,9 @@ objects:
             requests:
               cpu: 5m
               memory: 20Mi
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
           volumeMounts:
           - mountPath: /etc/provider
             name: credentials
@@ -528,6 +531,8 @@ objects:
             capabilities:
               drop:
               - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
             runAsUser: 1000
             seccompProfile:
               type: RuntimeDefault
@@ -553,6 +558,8 @@ objects:
           name: init-environment
           resources: {}
           securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
             runAsUser: 1000
           volumeMounts:
           - mountPath: /var/run/ca-trust