Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update unpack job pod security (#2793)
* Update unpack job security Signed-off-by: perdasilva <perdasilva@redhat.com> * Refactor catsrc pod creation to use security package Signed-off-by: perdasilva <perdasilva@redhat.com> Upstream-repository: operator-lifecycle-manager Upstream-commit: eedad287de8d2326e2ad1f701737df1fb8d38756
- Loading branch information
1 parent
15b71ff
commit dc160ba
Showing
9 changed files
with
157 additions
and
49 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
42 changes: 42 additions & 0 deletions
42
staging/operator-lifecycle-manager/pkg/controller/security/security.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
package security | ||
|
||
import ( | ||
corev1 "k8s.io/api/core/v1" | ||
"k8s.io/utils/pointer" | ||
) | ||
|
||
const readOnlyRootFilesystem = false | ||
const allowPrivilegeEscalation = false | ||
const privileged = false | ||
const runAsNonRoot = true | ||
|
||
// See: https://github.com/operator-framework/operator-registry/blob/master/Dockerfile#L27 | ||
const runAsUser int64 = 1001 | ||
|
||
// ApplyPodSpecSecurity applies the standard security profile to a pod spec | ||
func ApplyPodSpecSecurity(spec *corev1.PodSpec) { | ||
var containerSecurityContext = &corev1.SecurityContext{ | ||
Privileged: pointer.Bool(privileged), | ||
ReadOnlyRootFilesystem: pointer.Bool(readOnlyRootFilesystem), | ||
AllowPrivilegeEscalation: pointer.Bool(allowPrivilegeEscalation), | ||
Capabilities: &corev1.Capabilities{ | ||
Drop: []corev1.Capability{"ALL"}, | ||
}, | ||
} | ||
|
||
var podSecurityContext = &corev1.PodSecurityContext{ | ||
RunAsNonRoot: pointer.Bool(runAsNonRoot), | ||
RunAsUser: pointer.Int64(runAsUser), | ||
SeccompProfile: &corev1.SeccompProfile{ | ||
Type: corev1.SeccompProfileTypeRuntimeDefault, | ||
}, | ||
} | ||
|
||
spec.SecurityContext = podSecurityContext | ||
for idx := 0; idx < len(spec.Containers); idx++ { | ||
spec.Containers[idx].SecurityContext = containerSecurityContext | ||
} | ||
for idx := 0; idx < len(spec.InitContainers); idx++ { | ||
spec.InitContainers[idx].SecurityContext = containerSecurityContext | ||
} | ||
} |
5 changes: 5 additions & 0 deletions
5
...om/operator-framework/operator-lifecycle-manager/pkg/controller/bundle/bundle_unpacker.go
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.