Skip to content

Commit

Permalink
Set SeccompProfile
Browse files Browse the repository at this point in the history 
Be compliant with PSA restricted. This can
be applied to virt-api, virt-operator,
virt-controller.

Signed-off-by: L. Pivarc <lpivarc@redhat.com>
  • Loading branch information
@xpivarc
xpivarc committed Sep 13, 2022
1 parent 46c395a commit 63c6f8e
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 17 deletions.
4 changes: 4 additions & 0 deletions manifests/generated/operator-csv.yaml.in
View file
Expand Up @@ -1196,6 +1196,8 @@ spec:
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /etc/virt-operator/certificates
name: kubevirt-operator-certs
Expand All @@ -1207,6 +1209,8 @@ spec:
priorityClassName: kubevirt-cluster-critical
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccountName: kubevirt-operator
tolerations:
- key: CriticalAddonsOnly
Expand Down
36 changes: 19 additions & 17 deletions pkg/virt-operator/resource/generate/components/deployments.go
View file
Expand Up @@ -320,7 +320,8 @@ func NewApiServerDeployment(namespace string, repository string, imagePrefix str
pod := &deployment.Spec.Template.Spec
pod.ServiceAccountName = rbac.ApiServiceAccountName
pod.SecurityContext = &corev1.PodSecurityContext{
RunAsNonRoot: boolPtr(true),
RunAsNonRoot: boolPtr(true),
SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
}

container := &deployment.Spec.Template.Spec.Containers[0]
Expand Down Expand Up @@ -370,14 +371,13 @@ func NewApiServerDeployment(namespace string, repository string, imagePrefix str
},
}

if container.SecurityContext == nil {
container.SecurityContext = &corev1.SecurityContext{}
}
container.SecurityContext.AllowPrivilegeEscalation = pointer.Bool(false)
container.SecurityContext.Capabilities = &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
container.SecurityContext = &corev1.SecurityContext{
AllowPrivilegeEscalation: pointer.Bool(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
}

return deployment, nil
}

Expand All @@ -394,7 +394,8 @@ func NewControllerDeployment(namespace string, repository string, imagePrefix st
pod := &deployment.Spec.Template.Spec
pod.ServiceAccountName = rbac.ControllerServiceAccountName
pod.SecurityContext = &corev1.PodSecurityContext{
RunAsNonRoot: boolPtr(true),
RunAsNonRoot: boolPtr(true),
SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
}

launcherVersion = AddVersionSeparatorPrefix(launcherVersion)
Expand Down Expand Up @@ -462,14 +463,13 @@ func NewControllerDeployment(namespace string, repository string, imagePrefix st
},
}

if container.SecurityContext == nil {
container.SecurityContext = &corev1.SecurityContext{}
}
container.SecurityContext.AllowPrivilegeEscalation = pointer.Bool(false)
container.SecurityContext.Capabilities = &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
container.SecurityContext = &corev1.SecurityContext{
AllowPrivilegeEscalation: pointer.Bool(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
}

return deployment, nil
}

Expand Down Expand Up @@ -588,11 +588,13 @@ func NewOperatorDeployment(namespace string, repository string, imagePrefix stri
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
},
},
},
SecurityContext: &corev1.PodSecurityContext{
RunAsNonRoot: boolPtr(true),
RunAsNonRoot: boolPtr(true),
SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
},
},
},
Expand Down

0 comments on commit 63c6f8e

Please sign in to comment.