From 1709cf77e843628df9f58b18d1fa1b7343291bda Mon Sep 17 00:00:00 2001 From: Simone Tiraboschi Date: Mon, 25 Jul 2022 15:00:04 +0200 Subject: [PATCH] Comply with OCP 4.11 and 4.12 Pod Security Standards (#2036) Set something like: ``` spec: securityContext: # Do not use SeccompProfile if your project must work on # old k8s versions < 1.19 and Openshift < 4.11 seccompProfile: type: RuntimeDefault runAsNonRoot: true containers: - name: my-container securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL ``` following OCP/OKD 4.12 best practices. This is a manual cherry-pick of #2036 Signed-off-by: Simone Tiraboschi --- controllers/operands/kubevirtConsolePlugin.go | 3 ++ ...operator.v1.7.0.clusterserviceversion.yaml | 27 +++++++++++++++++ ...operator.v1.7.0.clusterserviceversion.yaml | 29 ++++++++++++++++++- deploy/operator.yaml | 27 +++++++++++++++++ pkg/components/components.go | 25 ++++++++++++++++ 5 files changed, 110 insertions(+), 1 deletion(-) diff --git a/controllers/operands/kubevirtConsolePlugin.go b/controllers/operands/kubevirtConsolePlugin.go index a618ffc7a..41ef14b3b 100644 --- a/controllers/operands/kubevirtConsolePlugin.go +++ b/controllers/operands/kubevirtConsolePlugin.go @@ -21,6 +21,7 @@ import ( hcov1beta1 "github.com/kubevirt/hyperconverged-cluster-operator/api/v1beta1" "github.com/kubevirt/hyperconverged-cluster-operator/cmd/cmdcommon" "github.com/kubevirt/hyperconverged-cluster-operator/controllers/common" + "github.com/kubevirt/hyperconverged-cluster-operator/pkg/components" hcoutil "github.com/kubevirt/hyperconverged-cluster-operator/pkg/util" ) @@ -83,6 +84,7 @@ func NewKvUiPluginDeplymnt(hc *hcov1beta1.HyperConverged) (*appsv1.Deployment, e }, Spec: corev1.PodSpec{ ServiceAccountName: "default", + SecurityContext: components.GetStdPodSecurityContext(), Containers: []corev1.Container{ { Name: kvUIPluginName, @@ -98,6 +100,7 @@ func NewKvUiPluginDeplymnt(hc *hcov1beta1.HyperConverged) (*appsv1.Deployment, e ContainerPort: hcoutil.UiPluginServerPort, Protocol: corev1.ProtocolTCP, }}, + SecurityContext: components.GetStdContainerSecurityContext(), TerminationMessagePath: corev1.TerminationMessagePathDefault, TerminationMessagePolicy: corev1.TerminationMessageReadFile, VolumeMounts: []corev1.VolumeMount{ diff --git a/deploy/index-image/community-kubevirt-hyperconverged/1.7.0/manifests/kubevirt-hyperconverged-operator.v1.7.0.clusterserviceversion.yaml b/deploy/index-image/community-kubevirt-hyperconverged/1.7.0/manifests/kubevirt-hyperconverged-operator.v1.7.0.clusterserviceversion.yaml index 29fe0fba1..2b25f8ddd 100644 --- a/deploy/index-image/community-kubevirt-hyperconverged/1.7.0/manifests/kubevirt-hyperconverged-operator.v1.7.0.clusterserviceversion.yaml +++ b/deploy/index-image/community-kubevirt-hyperconverged/1.7.0/manifests/kubevirt-hyperconverged-operator.v1.7.0.clusterserviceversion.yaml @@ -2435,7 +2435,16 @@ spec: requests: cpu: 10m memory: 96Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL priorityClassName: system-cluster-critical + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: hyperconverged-cluster-operator - label: app.kubernetes.io/component: deployment @@ -2502,7 +2511,16 @@ spec: requests: cpu: 5m memory: 48Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL priorityClassName: system-node-critical + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: hyperconverged-cluster-operator - label: app.kubernetes.io/component: deployment @@ -2538,7 +2556,16 @@ spec: requests: cpu: 10m memory: 96Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL priorityClassName: system-cluster-critical + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - label: app.kubernetes.io/component: network app.kubernetes.io/managed-by: olm diff --git a/deploy/olm-catalog/community-kubevirt-hyperconverged/1.7.0/manifests/kubevirt-hyperconverged-operator.v1.7.0.clusterserviceversion.yaml b/deploy/olm-catalog/community-kubevirt-hyperconverged/1.7.0/manifests/kubevirt-hyperconverged-operator.v1.7.0.clusterserviceversion.yaml index 1acd7f136..711e22a0c 100644 --- a/deploy/olm-catalog/community-kubevirt-hyperconverged/1.7.0/manifests/kubevirt-hyperconverged-operator.v1.7.0.clusterserviceversion.yaml +++ b/deploy/olm-catalog/community-kubevirt-hyperconverged/1.7.0/manifests/kubevirt-hyperconverged-operator.v1.7.0.clusterserviceversion.yaml @@ -9,7 +9,7 @@ metadata: certified: "false" console.openshift.io/disable-operand-delete: "true" containerImage: quay.io/kubevirt/hyperconverged-cluster-operator:1.7.0-unstable - createdAt: "2022-06-28 05:24:34" + createdAt: "2022-07-26 15:18:39" description: A unified operator deploying and controlling KubeVirt and its supporting operators with opinionated defaults operatorframework.io/initialization-resource: '{"apiVersion":"hco.kubevirt.io/v1beta1","kind":"HyperConverged","metadata":{"annotations":{"deployOVS":"false"},"name":"kubevirt-hyperconverged","namespace":"kubevirt-hyperconverged"},"spec":{}}' @@ -2435,7 +2435,16 @@ spec: requests: cpu: 10m memory: 96Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL priorityClassName: system-cluster-critical + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: hyperconverged-cluster-operator - label: app.kubernetes.io/component: deployment @@ -2502,7 +2511,16 @@ spec: requests: cpu: 5m memory: 48Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL priorityClassName: system-node-critical + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: hyperconverged-cluster-operator - label: app.kubernetes.io/component: deployment @@ -2538,7 +2556,16 @@ spec: requests: cpu: 10m memory: 96Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL priorityClassName: system-cluster-critical + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault - label: app.kubernetes.io/component: network app.kubernetes.io/managed-by: olm diff --git a/deploy/operator.yaml b/deploy/operator.yaml index a6dbe2a78..bdce8ec56 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -89,7 +89,16 @@ spec: requests: cpu: 10m memory: 96Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL priorityClassName: system-cluster-critical + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: hyperconverged-cluster-operator --- apiVersion: apps/v1 @@ -158,10 +167,19 @@ spec: requests: cpu: 5m memory: 48Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL volumeMounts: - mountPath: /apiserver.local.config/certificates name: apiservice-cert priorityClassName: system-node-critical + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: hyperconverged-cluster-operator volumes: - name: apiservice-cert @@ -209,7 +227,16 @@ spec: requests: cpu: 10m memory: 96Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL priorityClassName: system-cluster-critical + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault --- apiVersion: apps/v1 kind: Deployment diff --git a/pkg/components/components.go b/pkg/components/components.go index 10524534a..cfe8fdb91 100644 --- a/pkg/components/components.go +++ b/pkg/components/components.go @@ -20,6 +20,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/pointer" crdgen "sigs.k8s.io/controller-tools/pkg/crd" crdmarkers "sigs.k8s.io/controller-tools/pkg/crd/markers" "sigs.k8s.io/controller-tools/pkg/loader" @@ -156,6 +157,7 @@ func GetDeploymentSpecOperator(params *DeploymentOperatorParams) appsv1.Deployme }, Spec: corev1.PodSpec{ ServiceAccountName: hcoName, + SecurityContext: GetStdPodSecurityContext(), Containers: []corev1.Container{ { Name: hcoName, @@ -254,6 +256,7 @@ func GetDeploymentSpecOperator(params *DeploymentOperatorParams) appsv1.Deployme v1.ResourceMemory: resource.MustParse("96Mi"), }, }, + SecurityContext: GetStdContainerSecurityContext(), }, }, PriorityClassName: "system-cluster-critical", @@ -278,6 +281,7 @@ func GetDeploymentSpecCliDownloads(params *DeploymentOperatorParams) appsv1.Depl Labels: getLabels(cliDownloadsName, params.HcoKvIoVersion), }, Spec: corev1.PodSpec{ + SecurityContext: GetStdPodSecurityContext(), Containers: []corev1.Container{ { Name: "server", @@ -295,6 +299,7 @@ func GetDeploymentSpecCliDownloads(params *DeploymentOperatorParams) appsv1.Depl ContainerPort: int32(8080), }, }, + SecurityContext: GetStdContainerSecurityContext(), }, }, PriorityClassName: "system-cluster-critical", @@ -312,6 +317,24 @@ func getLabels(name, hcoKvIoVersion string) map[string]string { } } +func GetStdPodSecurityContext() *v1.PodSecurityContext { + return &v1.PodSecurityContext{ + RunAsNonRoot: pointer.Bool(true), + SeccompProfile: &v1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + } +} + +func GetStdContainerSecurityContext() *v1.SecurityContext { + return &v1.SecurityContext{ + AllowPrivilegeEscalation: pointer.Bool(false), + Capabilities: &v1.Capabilities{ + Drop: []v1.Capability{"ALL"}, + }, + } +} + // Currently we are abusing the pod readiness to signal to OLM that HCO is not ready // for an upgrade. This has a lot of side effects, one of this is the validating webhook // being not able to receive traffic when exposed by a pod that is not reporting ready=true. @@ -341,6 +364,7 @@ func GetDeploymentSpecWebhook(namespace, image, imagePullPolicy, hcoKvIoVersion }, Spec: corev1.PodSpec{ ServiceAccountName: hcoName, + SecurityContext: GetStdPodSecurityContext(), Containers: []corev1.Container{ { Name: hcoNameWebhook, @@ -390,6 +414,7 @@ func GetDeploymentSpecWebhook(namespace, image, imagePullPolicy, hcoKvIoVersion v1.ResourceMemory: resource.MustParse("48Mi"), }, }, + SecurityContext: GetStdContainerSecurityContext(), }, }, PriorityClassName: "system-node-critical",