Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-4.15] ACM-8466: Add Kubernetes SCC V2 options to HO containers #3311

Merged
merged 2 commits into from Dec 13, 2023
Merged

[release-4.15] ACM-8466: Add Kubernetes SCC V2 options to HO containers #3311

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e3f8225
ACM-8466: Add Kubernetes SCC V2 options to HO containers
rokej Dec 6, 2023
9bc3f13
update app-sre saas_template.yaml
rokej Dec 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
18 changes: 17 additions & 1 deletion cmd/install/assets/hypershift_operator.go
View file
Open in desktop
Expand Up @@ -47,6 +47,14 @@ var (
// allowPrivilegeEscalation is used to set the status of the
// privilegeEscalation on SeccompProfile
allowPrivilegeEscalation = false

// readOnlyRootFilesystem is used to set the container security
// context to mount the root filesystem as read-only.
readOnlyRootFilesystem = true

// privileged is used to set the container security
// context to run container as unprivileged.
privileged = false
)

type HyperShiftNamespace struct {
Expand Down Expand Up @@ -233,6 +241,10 @@ func (o ExternalDNSDeployment) Build() *appsv1.Deployment {
corev1.ResourceCPU: resource.MustParse("5m"),
},
},
SecurityContext: &corev1.SecurityContext{
ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
Privileged: &privileged,
},
VolumeMounts: []corev1.VolumeMount{
{
Name: "credentials",
Expand Down Expand Up @@ -562,7 +574,9 @@ func (o HyperShiftOperatorDeployment) Build() *appsv1.Deployment {
Command: []string{"/usr/bin/hypershift-operator"},
Args: []string{"init"},
SecurityContext: &corev1.SecurityContext{
RunAsUser: k8sutilspointer.Int64(1000),
RunAsUser: k8sutilspointer.Int64(1000),
ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
Privileged: &privileged,
},
VolumeMounts: initVolumeMounts,
},
Expand All @@ -582,6 +596,8 @@ func (o HyperShiftOperatorDeployment) Build() *appsv1.Deployment {
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
Privileged: &privileged,
},
Image: image,
ImagePullPolicy: corev1.PullIfNotPresent,
Expand Down
7 changes: 7 additions & 0 deletions hack/app-sre/saas_template.yaml
View file
Open in desktop
Expand Up @@ -414,6 +414,9 @@ objects:
requests:
cpu: 5m
memory: 20Mi
securityContext:
privileged: false
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/provider
name: credentials
Expand Down Expand Up @@ -528,6 +531,8 @@ objects:
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Expand All @@ -553,6 +558,8 @@ objects:
name: init-environment
resources: {}
securityContext:
privileged: false
readOnlyRootFilesystem: true
runAsUser: 1000
volumeMounts:
- mountPath: /var/run/ca-trust
Expand Down