From e3f8225a50a5a943672fca717fc66d4743707fdf Mon Sep 17 00:00:00 2001
From: Roke Jung <roke@redhat.com>
Date: Wed, 6 Dec 2023 09:56:57 -0500
Subject: [PATCH 1/2] ACM-8466: Add Kubernetes SCC V2 options to HO containers

Signed-off-by: Roke Jung <roke@redhat.com>
---
 cmd/install/assets/hypershift_operator.go | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/cmd/install/assets/hypershift_operator.go b/cmd/install/assets/hypershift_operator.go
index 61c6e64de0..c3113754ca 100644
--- a/cmd/install/assets/hypershift_operator.go
+++ b/cmd/install/assets/hypershift_operator.go
@@ -47,6 +47,14 @@ var (
 	// allowPrivilegeEscalation is used to set the status of the
 	// privilegeEscalation on SeccompProfile
 	allowPrivilegeEscalation = false
+
+	// readOnlyRootFilesystem is used to set the container security
+	// context to mount the root filesystem as read-only.
+	readOnlyRootFilesystem = true
+
+	// privileged is used to set the container security
+	// context to run container as unprivileged.
+	privileged = false
 )
 
 type HyperShiftNamespace struct {
@@ -233,6 +241,10 @@ func (o ExternalDNSDeployment) Build() *appsv1.Deployment {
 									corev1.ResourceCPU:    resource.MustParse("5m"),
 								},
 							},
+							SecurityContext: &corev1.SecurityContext{
+								ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
+								Privileged:             &privileged,
+							},
 							VolumeMounts: []corev1.VolumeMount{
 								{
 									Name:      "credentials",
@@ -562,7 +574,9 @@ func (o HyperShiftOperatorDeployment) Build() *appsv1.Deployment {
 							Command:         []string{"/usr/bin/hypershift-operator"},
 							Args:            []string{"init"},
 							SecurityContext: &corev1.SecurityContext{
-								RunAsUser: k8sutilspointer.Int64(1000),
+								RunAsUser:              k8sutilspointer.Int64(1000),
+								ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
+								Privileged:             &privileged,
 							},
 							VolumeMounts: initVolumeMounts,
 						},
@@ -582,6 +596,8 @@ func (o HyperShiftOperatorDeployment) Build() *appsv1.Deployment {
 								SeccompProfile: &corev1.SeccompProfile{
 									Type: corev1.SeccompProfileTypeRuntimeDefault,
 								},
+								ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
+								Privileged:             &privileged,
 							},
 							Image:           image,
 							ImagePullPolicy: corev1.PullIfNotPresent,

From 9bc3f131346803756a0d52b4a31f10be77edfe09 Mon Sep 17 00:00:00 2001
From: Roke Jung <roke@redhat.com>
Date: Wed, 6 Dec 2023 13:50:55 -0500
Subject: [PATCH 2/2] update app-sre saas_template.yaml

Signed-off-by: Roke Jung <roke@redhat.com>
---
 hack/app-sre/saas_template.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/hack/app-sre/saas_template.yaml b/hack/app-sre/saas_template.yaml
index 0f7dc1d3e4..7d647d19cd 100644
--- a/hack/app-sre/saas_template.yaml
+++ b/hack/app-sre/saas_template.yaml
@@ -414,6 +414,9 @@ objects:
             requests:
               cpu: 5m
               memory: 20Mi
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
           volumeMounts:
           - mountPath: /etc/provider
             name: credentials
@@ -528,6 +531,8 @@ objects:
             capabilities:
               drop:
               - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
             runAsUser: 1000
             seccompProfile:
               type: RuntimeDefault
@@ -553,6 +558,8 @@ objects:
           name: init-environment
           resources: {}
           securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
             runAsUser: 1000
           volumeMounts:
           - mountPath: /var/run/ca-trust