Skip to content

[WIP] PSA Updates #2810

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 7 commits into from
Closed

[WIP] PSA Updates #2810

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
ab291e5
Update CatalogSource Pod security context (#2782)
perdasilva Jun 9, 2022
17a5b6d
Update unpack job pod security (#2793)
perdasilva Jun 13, 2022
3dc3e46
Update namespace and deployments for PSA restricted profile
perdasilva Jul 4, 2022
f0c1f90
Remove RunAsUser for everything except the catalog source pods
perdasilva Jul 4, 2022
8026756
Fix unit test
perdasilva Jul 4, 2022
8f33460
Update dockerfiles with user 1001
perdasilva Jul 5, 2022
3cc6ae8
Use RunAsUser for bundle unpack job
perdasilva Jul 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ FROM quay.io/fedora/fedora:34-x86_64 as builder
LABEL stage=builder
WORKDIR /build

# install dependencies and go 1.16
# install dependencies and go 1.17
Copy link
Contributor

@camilamacedo86 camilamacedo86 Jul 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason for we are not using 1.18 yet?

Copy link
Collaborator Author

@perdasilva perdasilva Jul 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably should move to 1.18 here - though I think it should be done in another PR


# copy just enough of the git repo to parse HEAD, used to record version in OLM binaries
RUN dnf update -y && dnf install -y bash make git mercurial jq wget && dnf upgrade -y
Expand Down Expand Up @@ -33,6 +33,7 @@ COPY --from=builder /build/bin/olm /bin/olm
COPY --from=builder /build/bin/catalog /bin/catalog
COPY --from=builder /build/bin/package-server /bin/package-server
COPY --from=builder /build/bin/cpb /bin/cpb
USER 1001
EXPOSE 8080
EXPOSE 5443
CMD ["/bin/olm"]
1 change: 1 addition & 0 deletions Dockerfile.goreleaser
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,5 @@ COPY package-server /bin/package-server
COPY cpb /bin/cpb
EXPOSE 8080
EXPOSE 5443
USER 1001
ENTRYPOINT ["/bin/olm"]
5 changes: 5 additions & 0 deletions deploy/chart/templates/0000_50_olm_00-namespace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,14 @@ apiVersion: v1
kind: Namespace
metadata:
name: {{ .Values.namespace }}
labels:
pod-security.kubernetes.io/enforce: restricted


---
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Values.operator_namespace }}
labels:
pod-security.kubernetes.io/enforce: restricted
10 changes: 10 additions & 0 deletions deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ spec:
app: olm-operator
spec:
serviceAccountName: olm-operator-serviceaccount
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- if or .Values.olm.tlsSecret .Values.olm.clientCASecret }}
volumes:
{{- end }}
Expand All @@ -33,6 +37,12 @@ spec:
{{- end }}
containers:
- name: olm-operator
securityContext:
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
{{- if or .Values.olm.tlsSecret .Values.olm.clientCASecret }}
volumeMounts:
{{- end }}
Expand Down
10 changes: 10 additions & 0 deletions deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ spec:
app: catalog-operator
spec:
serviceAccountName: olm-operator-serviceaccount
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- if or .Values.catalog.tlsSecret .Values.catalog.clientCASecret }}
volumes:
{{- end }}
Expand All @@ -33,6 +37,12 @@ spec:
{{- end }}
containers:
- name: catalog-operator
securityContext:
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
{{- if or .Values.catalog.tlsSecret .Values.catalog.clientCASecret }}
volumeMounts:
{{- end }}
Expand Down
10 changes: 10 additions & 0 deletions deploy/chart/templates/_packageserver.deployment-spec.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ spec:
app: packageserver
spec:
serviceAccountName: olm-operator-serviceaccount
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
{{- if .Values.package.nodeSelector }}
nodeSelector:
{{- toYaml .Values.package.nodeSelector | nindent 8 }}
Expand All @@ -25,6 +29,12 @@ spec:
{{- end }}
containers:
- name: packageserver
securityContext:
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: [ "ALL" ]
command:
- /bin/package-server
- -v=4
Expand Down
1 change: 1 addition & 0 deletions e2e.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,5 @@ FROM busybox
COPY olm catalog package-server wait cpb /bin/
EXPOSE 8080
EXPOSE 5443
USER 1001
CMD ["/bin/olm"]
5 changes: 5 additions & 0 deletions pkg/controller/bundle/bundle_unpacker.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ import (
listersoperatorsv1alpha1 "github.com/operator-framework/operator-lifecycle-manager/pkg/api/client/listers/operators/v1alpha1"
"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/install"
"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/registry/resolver/projection"
"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/security"
)

const (
Expand Down Expand Up @@ -190,6 +191,10 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
},
},
}

// Apply Pod security
security.ApplyPodSpecSecurity(&job.Spec.Template.Spec, security.WithRunAsUser())

job.SetNamespace(cmRef.Namespace)
job.SetName(cmRef.Name)
job.SetOwnerReferences([]metav1.OwnerReference{ownerRef(cmRef)})
Expand Down
55 changes: 50 additions & 5 deletions pkg/controller/bundle/bundle_unpacker_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,27 @@ func TestConfigMapUnpacker(t *testing.T) {
roleBindings []*rbacv1.RoleBinding
}

var expectedReadOnlyRootFilesystem = false
var expectedAllowPrivilegeEscalation = false
var expectedRunAsNonRoot = true
var expectedPrivileged = false

var expectedContainerSecurityContext = &corev1.SecurityContext{
Privileged: &expectedPrivileged,
ReadOnlyRootFilesystem: &expectedReadOnlyRootFilesystem,
AllowPrivilegeEscalation: &expectedAllowPrivilegeEscalation,
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
}

var expectedPodSecurityContext = &corev1.PodSecurityContext{
RunAsNonRoot: &expectedRunAsNonRoot,
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
}

tests := []struct {
description string
fields fields
Expand Down Expand Up @@ -220,6 +241,7 @@ func TestConfigMapUnpacker(t *testing.T) {
Spec: corev1.PodSpec{
RestartPolicy: corev1.RestartPolicyNever,
ImagePullSecrets: []corev1.LocalObjectReference{{Name: "my-secret"}},
SecurityContext: expectedPodSecurityContext,
Containers: []corev1.Container{
{
Name: "extract",
Expand All @@ -243,6 +265,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
},
InitContainers: []corev1.Container{
Expand All @@ -262,6 +285,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
{
Name: "pull",
Expand All @@ -284,6 +308,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
},
Volumes: []corev1.Volume{
Expand Down Expand Up @@ -396,7 +421,8 @@ func TestConfigMapUnpacker(t *testing.T) {
Name: pathHash,
},
Spec: corev1.PodSpec{
RestartPolicy: corev1.RestartPolicyNever,
RestartPolicy: corev1.RestartPolicyNever,
SecurityContext: expectedPodSecurityContext,
Containers: []corev1.Container{
{
Name: "extract",
Expand All @@ -420,6 +446,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
},
InitContainers: []corev1.Container{
Expand All @@ -439,6 +466,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
{
Name: "pull",
Expand All @@ -461,6 +489,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
},
Volumes: []corev1.Volume{
Expand Down Expand Up @@ -614,7 +643,8 @@ func TestConfigMapUnpacker(t *testing.T) {
Name: pathHash,
},
Spec: corev1.PodSpec{
RestartPolicy: corev1.RestartPolicyNever,
RestartPolicy: corev1.RestartPolicyNever,
SecurityContext: expectedPodSecurityContext,
Containers: []corev1.Container{
{
Name: "extract",
Expand All @@ -638,6 +668,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
},
InitContainers: []corev1.Container{
Expand All @@ -657,6 +688,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
{
Name: "pull",
Expand All @@ -679,6 +711,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
},
Volumes: []corev1.Volume{
Expand Down Expand Up @@ -826,7 +859,8 @@ func TestConfigMapUnpacker(t *testing.T) {
Name: pathHash,
},
Spec: corev1.PodSpec{
RestartPolicy: corev1.RestartPolicyNever,
RestartPolicy: corev1.RestartPolicyNever,
SecurityContext: expectedPodSecurityContext,
Containers: []corev1.Container{
{
Name: "extract",
Expand All @@ -850,6 +884,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
},
InitContainers: []corev1.Container{
Expand All @@ -869,6 +904,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
{
Name: "pull",
Expand All @@ -891,6 +927,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
},
Volumes: []corev1.Volume{
Expand Down Expand Up @@ -1008,7 +1045,8 @@ func TestConfigMapUnpacker(t *testing.T) {
Name: pathHash,
},
Spec: corev1.PodSpec{
RestartPolicy: corev1.RestartPolicyNever,
RestartPolicy: corev1.RestartPolicyNever,
SecurityContext: expectedPodSecurityContext,
Containers: []corev1.Container{
{
Name: "extract",
Expand All @@ -1032,6 +1070,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
},
InitContainers: []corev1.Container{
Expand All @@ -1051,6 +1090,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
{
Name: "pull",
Expand All @@ -1073,6 +1113,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
},
Volumes: []corev1.Volume{
Expand Down Expand Up @@ -1201,7 +1242,8 @@ func TestConfigMapUnpacker(t *testing.T) {
Name: pathHash,
},
Spec: corev1.PodSpec{
RestartPolicy: corev1.RestartPolicyNever,
RestartPolicy: corev1.RestartPolicyNever,
SecurityContext: expectedPodSecurityContext,
Containers: []corev1.Container{
{
Name: "extract",
Expand All @@ -1225,6 +1267,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
},
InitContainers: []corev1.Container{
Expand All @@ -1244,6 +1287,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
{
Name: "pull",
Expand All @@ -1266,6 +1310,7 @@ func TestConfigMapUnpacker(t *testing.T) {
corev1.ResourceMemory: resource.MustParse("50Mi"),
},
},
SecurityContext: expectedContainerSecurityContext,
},
},
Volumes: []corev1.Volume{
Expand Down
Loading