restrict the test pods security context

openshift · Apr 20, 2023 · 1e2bb28 · 1e2bb28
1 parent 9c583f1
commit 1e2bb28
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/go.mod b/go.mod
@@ -22,6 +22,7 @@ require (
 	k8s.io/apimachinery v0.26.2
 	k8s.io/apiserver v0.26.2
 	k8s.io/client-go v0.26.2
+	k8s.io/utils v0.0.0-20221107191617-1a15be271d1d
 )
 
 require (
@@ -105,7 +106,6 @@ require (
 	k8s.io/klog/v2 v2.80.1 // indirect
 	k8s.io/kms v0.26.2 // indirect
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
-	k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.35 // indirect
 	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect

diff --git a/test/e2e/util.go b/test/e2e/util.go
@@ -25,6 +25,7 @@ import (
 
 	authorizationv1 "k8s.io/api/authorization/v1"
 	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -34,6 +35,7 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	cmdapi "k8s.io/client-go/tools/clientcmd/api"
+	"k8s.io/utils/pointer"
 
 	configv1 "github.com/openshift/api/config/v1"
 	routev1 "github.com/openshift/api/route/v1"
@@ -667,6 +669,7 @@ func newOAuthProxyPod(proxyImage, backendImage string, extraProxyArgs []string,
 		"--cookie-secret=SECRET",
 		"--skip-provider-button",
 	}, extraProxyArgs...)
+
 	return &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "proxy",
@@ -675,6 +678,11 @@ func newOAuthProxyPod(proxyImage, backendImage string, extraProxyArgs []string,
 			},
 		},
 		Spec: corev1.PodSpec{
+			SecurityContext: &v1.PodSecurityContext{
+				RunAsNonRoot:   pointer.Bool(true),
+				RunAsUser:      pointer.Int64(1000),
+				SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault},
+			},
 			Volumes: []corev1.Volume{
 				{
 					Name: "proxy-cert-volume",
@@ -692,6 +700,10 @@ func newOAuthProxyPod(proxyImage, backendImage string, extraProxyArgs []string,
 					ImagePullPolicy: corev1.PullIfNotPresent,
 					Name:            "oauth-proxy",
 					Args:            proxyArgs,
+					SecurityContext: &v1.SecurityContext{
+						AllowPrivilegeEscalation: pointer.Bool(false),
+						Capabilities:             &v1.Capabilities{Drop: []v1.Capability{"ALL"}},
+					},
 					Ports: []corev1.ContainerPort{
 						{
 							ContainerPort: 8443,
@@ -707,6 +719,10 @@ func newOAuthProxyPod(proxyImage, backendImage string, extraProxyArgs []string,
 				{
 					Image: backendImage,
 					Name:  "hello-openshift",
+					SecurityContext: &v1.SecurityContext{
+						AllowPrivilegeEscalation: pointer.Bool(false),
+						Capabilities:             &v1.Capabilities{Drop: []v1.Capability{"ALL"}},
+					},
 					Ports: []corev1.ContainerPort{
 						{
 							ContainerPort: 8080,