Skip to content

Commit

Permalink
Comply with OCP 4.11 and 4.12 Pod Security Standards (kubevirt#2036)
Browse files Browse the repository at this point in the history 
Set something like:
```
spec:
 securityContext:
   # Do not use SeccompProfile if your project must work on
   # old k8s versions < 1.19 and Openshift < 4.11
   seccompProfile:
      type: RuntimeDefault
   runAsNonRoot: true
 containers:
   - name: my-container
     securityContext:
       allowPrivilegeEscalation: false
       capabilities:
         drop:
           - ALL
```
following OCP/OKD 4.12 best practices.

This is a manual cherry-pick of kubevirt#2036

Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
  • Loading branch information
@tiraboschi
tiraboschi committed Jul 26, 2022
1 parent 7c1f624 commit 1709cf7
Show file tree
Hide file tree
Showing 5 changed files with 110 additions and 1 deletion.
3 changes: 3 additions & 0 deletions controllers/operands/kubevirtConsolePlugin.go
View file
Expand Up @@ -21,6 +21,7 @@ import (
hcov1beta1 "github.com/kubevirt/hyperconverged-cluster-operator/api/v1beta1"
"github.com/kubevirt/hyperconverged-cluster-operator/cmd/cmdcommon"
"github.com/kubevirt/hyperconverged-cluster-operator/controllers/common"
"github.com/kubevirt/hyperconverged-cluster-operator/pkg/components"
hcoutil "github.com/kubevirt/hyperconverged-cluster-operator/pkg/util"
)

Expand Down Expand Up @@ -83,6 +84,7 @@ func NewKvUiPluginDeplymnt(hc *hcov1beta1.HyperConverged) (*appsv1.Deployment, e
},
Spec: corev1.PodSpec{
ServiceAccountName: "default",
SecurityContext: components.GetStdPodSecurityContext(),
Containers: []corev1.Container{
{
Name: kvUIPluginName,
Expand All @@ -98,6 +100,7 @@ func NewKvUiPluginDeplymnt(hc *hcov1beta1.HyperConverged) (*appsv1.Deployment, e
ContainerPort: hcoutil.UiPluginServerPort,
Protocol: corev1.ProtocolTCP,
}},
SecurityContext: components.GetStdContainerSecurityContext(),
TerminationMessagePath: corev1.TerminationMessagePathDefault,
TerminationMessagePolicy: corev1.TerminationMessageReadFile,
VolumeMounts: []corev1.VolumeMount{
Expand Down
27 changes: 27 additions & 0 deletions ...verged/1.7.0/manifests/kubevirt-hyperconverged-operator.v1.7.0.clusterserviceversion.yaml
View file
Expand Up @@ -2435,7 +2435,16 @@ spec:
requests:
cpu: 10m
memory: 96Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
priorityClassName: system-cluster-critical
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: hyperconverged-cluster-operator
- label:
app.kubernetes.io/component: deployment
Expand Down Expand Up @@ -2502,7 +2511,16 @@ spec:
requests:
cpu: 5m
memory: 48Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
priorityClassName: system-node-critical
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: hyperconverged-cluster-operator
- label:
app.kubernetes.io/component: deployment
Expand Down Expand Up @@ -2538,7 +2556,16 @@ spec:
requests:
cpu: 10m
memory: 96Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
priorityClassName: system-cluster-critical
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- label:
app.kubernetes.io/component: network
app.kubernetes.io/managed-by: olm
Expand Down
29 changes: 28 additions & 1 deletion ...verged/1.7.0/manifests/kubevirt-hyperconverged-operator.v1.7.0.clusterserviceversion.yaml
View file
Expand Up @@ -9,7 +9,7 @@ metadata:
certified: "false"
console.openshift.io/disable-operand-delete: "true"
containerImage: quay.io/kubevirt/hyperconverged-cluster-operator:1.7.0-unstable
createdAt: "2022-06-28 05:24:34"
createdAt: "2022-07-26 15:18:39"
description: A unified operator deploying and controlling KubeVirt and its supporting
operators with opinionated defaults
operatorframework.io/initialization-resource: '{"apiVersion":"hco.kubevirt.io/v1beta1","kind":"HyperConverged","metadata":{"annotations":{"deployOVS":"false"},"name":"kubevirt-hyperconverged","namespace":"kubevirt-hyperconverged"},"spec":{}}'
Expand Down Expand Up @@ -2435,7 +2435,16 @@ spec:
requests:
cpu: 10m
memory: 96Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
priorityClassName: system-cluster-critical
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: hyperconverged-cluster-operator
- label:
app.kubernetes.io/component: deployment
Expand Down Expand Up @@ -2502,7 +2511,16 @@ spec:
requests:
cpu: 5m
memory: 48Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
priorityClassName: system-node-critical
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: hyperconverged-cluster-operator
- label:
app.kubernetes.io/component: deployment
Expand Down Expand Up @@ -2538,7 +2556,16 @@ spec:
requests:
cpu: 10m
memory: 96Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
priorityClassName: system-cluster-critical
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- label:
app.kubernetes.io/component: network
app.kubernetes.io/managed-by: olm
Expand Down
27 changes: 27 additions & 0 deletions deploy/operator.yaml
View file
Expand Up @@ -89,7 +89,16 @@ spec:
requests:
cpu: 10m
memory: 96Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
priorityClassName: system-cluster-critical
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: hyperconverged-cluster-operator
---
apiVersion: apps/v1
Expand Down Expand Up @@ -158,10 +167,19 @@ spec:
requests:
cpu: 5m
memory: 48Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /apiserver.local.config/certificates
name: apiservice-cert
priorityClassName: system-node-critical
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: hyperconverged-cluster-operator
volumes:
- name: apiservice-cert
Expand Down Expand Up @@ -209,7 +227,16 @@ spec:
requests:
cpu: 10m
memory: 96Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
priorityClassName: system-cluster-critical
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
---
apiVersion: apps/v1
kind: Deployment
Expand Down
25 changes: 25 additions & 0 deletions pkg/components/components.go
View file
Expand Up @@ -20,6 +20,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/utils/pointer"
crdgen "sigs.k8s.io/controller-tools/pkg/crd"
crdmarkers "sigs.k8s.io/controller-tools/pkg/crd/markers"
"sigs.k8s.io/controller-tools/pkg/loader"
Expand Down Expand Up @@ -156,6 +157,7 @@ func GetDeploymentSpecOperator(params *DeploymentOperatorParams) appsv1.Deployme
},
Spec: corev1.PodSpec{
ServiceAccountName: hcoName,
SecurityContext: GetStdPodSecurityContext(),
Containers: []corev1.Container{
{
Name: hcoName,
Expand Down Expand Up @@ -254,6 +256,7 @@ func GetDeploymentSpecOperator(params *DeploymentOperatorParams) appsv1.Deployme
v1.ResourceMemory: resource.MustParse("96Mi"),
},
},
SecurityContext: GetStdContainerSecurityContext(),
},
},
PriorityClassName: "system-cluster-critical",
Expand All @@ -278,6 +281,7 @@ func GetDeploymentSpecCliDownloads(params *DeploymentOperatorParams) appsv1.Depl
Labels: getLabels(cliDownloadsName, params.HcoKvIoVersion),
},
Spec: corev1.PodSpec{
SecurityContext: GetStdPodSecurityContext(),
Containers: []corev1.Container{
{
Name: "server",
Expand All @@ -295,6 +299,7 @@ func GetDeploymentSpecCliDownloads(params *DeploymentOperatorParams) appsv1.Depl
ContainerPort: int32(8080),
},
},
SecurityContext: GetStdContainerSecurityContext(),
},
},
PriorityClassName: "system-cluster-critical",
Expand All @@ -312,6 +317,24 @@ func getLabels(name, hcoKvIoVersion string) map[string]string {
}
}

func GetStdPodSecurityContext() *v1.PodSecurityContext {
return &v1.PodSecurityContext{
RunAsNonRoot: pointer.Bool(true),
SeccompProfile: &v1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
}
}

func GetStdContainerSecurityContext() *v1.SecurityContext {
return &v1.SecurityContext{
AllowPrivilegeEscalation: pointer.Bool(false),
Capabilities: &v1.Capabilities{
Drop: []v1.Capability{"ALL"},
},
}
}

// Currently we are abusing the pod readiness to signal to OLM that HCO is not ready
// for an upgrade. This has a lot of side effects, one of this is the validating webhook
// being not able to receive traffic when exposed by a pod that is not reporting ready=true.
Expand Down Expand Up @@ -341,6 +364,7 @@ func GetDeploymentSpecWebhook(namespace, image, imagePullPolicy, hcoKvIoVersion
},
Spec: corev1.PodSpec{
ServiceAccountName: hcoName,
SecurityContext: GetStdPodSecurityContext(),
Containers: []corev1.Container{
{
Name: hcoNameWebhook,
Expand Down Expand Up @@ -390,6 +414,7 @@ func GetDeploymentSpecWebhook(namespace, image, imagePullPolicy, hcoKvIoVersion
v1.ResourceMemory: resource.MustParse("48Mi"),
},
},
SecurityContext: GetStdContainerSecurityContext(),
},
},
PriorityClassName: "system-node-critical",
Expand Down

0 comments on commit 1709cf7

Please sign in to comment.