Merge pull request #299 from timflannagan/pod-security-context-4.11

openshift-merge-robot · web-flow · commit ec696d9b8e71 · 2022-05-09T14:34:16.000-04:00
manifests/*: comply to restricted pod security level
diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml
@@ -21,10 +21,19 @@ spec:
       labels:
         app: package-server-manager
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
       priorityClassName: "system-cluster-critical"
       containers:
         - name: package-server-manager
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
           command:
             - /bin/psm
             - start
diff --git a/manifests/0000_50_olm_06-psm-operator.deployment.yaml b/manifests/0000_50_olm_06-psm-operator.deployment.yaml
@@ -21,10 +21,19 @@ spec:
       labels:
         app: package-server-manager
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
       priorityClassName: "system-cluster-critical"
       containers:
         - name: package-server-manager
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
           command:
             - /bin/psm
             - start
diff --git a/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml b/manifests/0000_50_olm_07-collect-profiles.cronjob.yaml
@@ -13,10 +13,18 @@ spec:
     spec:
       template:
         spec:
+          securityContext:
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
           serviceAccountName: collect-profiles
           priorityClassName: openshift-user-critical
           containers:
             - name: collect-profiles
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop: ["ALL"]
               image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
               imagePullPolicy: IfNotPresent
               command:
diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml
@@ -82,6 +82,10 @@ spec:
             requests:
               cpu: 10m
               memory: 160Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
       nodeSelector:
         kubernetes.io/os: linux
       tolerations:
@@ -97,3 +101,8 @@ spec:
           operator: Exists
           tolerationSeconds: 120
       priorityClassName: system-cluster-critical
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
diff --git a/manifests/0000_50_olm_07-olm-operator.deployment.yaml b/manifests/0000_50_olm_07-olm-operator.deployment.yaml
@@ -82,6 +82,10 @@ spec:
             requests:
               cpu: 10m
               memory: 160Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
       nodeSelector:
         kubernetes.io/os: linux
         node-role.kubernetes.io/master: ""
@@ -98,3 +102,8 @@ spec:
           operator: Exists
           tolerationSeconds: 120
       priorityClassName: system-cluster-critical
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml
@@ -78,6 +78,10 @@ spec:
           env:
             - name: RELEASE_VERSION
               value: "0.0.1-snapshot"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
       nodeSelector:
         kubernetes.io/os: linux
       tolerations:
@@ -93,3 +97,8 @@ spec:
           operator: Exists
           tolerationSeconds: 120
       priorityClassName: system-cluster-critical
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
diff --git a/manifests/0000_50_olm_08-catalog-operator.deployment.yaml b/manifests/0000_50_olm_08-catalog-operator.deployment.yaml
@@ -78,6 +78,10 @@ spec:
           env:
             - name: RELEASE_VERSION
               value: "0.0.1-snapshot"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
       nodeSelector:
         kubernetes.io/os: linux
         node-role.kubernetes.io/master: ""
@@ -94,3 +98,8 @@ spec:
           operator: Exists
           tolerationSeconds: 120
       priorityClassName: system-cluster-critical
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
diff --git a/pkg/manifests/csv.yaml b/pkg/manifests/csv.yaml
@@ -136,6 +136,10 @@ spec:
                     volumeMounts:
                       - name: tmpfs
                         mountPath: /tmp
+                    securityContext:
+                      allowPrivilegeEscalation: false
+                      capabilities:
+                        drop: ["ALL"]
                 volumes:
                   - name: tmpfs
                     emptyDir: {}
@@ -150,6 +154,11 @@ spec:
                               values:
                                 - packageserver
                         topologyKey: "kubernetes.io/hostname"
+                securityContext:
+                  runAsNonRoot: true
+                  runAsUser: 65534
+                  seccompProfile:
+                    type: RuntimeDefault
   maturity: alpha
   version: 0.19.0
   apiservicedefinitions:
diff --git a/scripts/catalog-deployment.patch.yaml b/scripts/catalog-deployment.patch.yaml
@@ -9,3 +9,16 @@
   value:
     name: RELEASE_VERSION
     value: "0.0.1-snapshot"
+- command: update
+  path: spec.template.spec.containers[*].securityContext
+  value:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["ALL"]
+- command: update
+  path: spec.template.spec.securityContext
+  value:
+    runAsNonRoot: true
+    runAsUser: 65534
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh
@@ -114,10 +114,19 @@ spec:
       labels:
         app: package-server-manager
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
       priorityClassName: "system-cluster-critical"
       containers:
         - name: package-server-manager
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
           command:
             - /bin/psm
             - start
@@ -262,10 +271,18 @@ spec:
     spec:
       template:
         spec:
+          securityContext:
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
           serviceAccountName: collect-profiles
           priorityClassName: openshift-user-critical
           containers:
           - name: collect-profiles
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
             image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
             imagePullPolicy: IfNotPresent
             command:
diff --git a/scripts/olm-deployment.patch.yaml b/scripts/olm-deployment.patch.yaml
@@ -9,3 +9,16 @@
   value:
     name: RELEASE_VERSION
     value: "0.0.1-snapshot"
+- command: update
+  path: spec.template.spec.containers[*].securityContext
+  value:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["ALL"]
+- command: update
+  path: spec.template.spec.securityContext
+  value:
+    runAsNonRoot: true
+    runAsUser: 65534
+    seccompProfile:
+      type: RuntimeDefault
diff --git a/scripts/packageserver-deployment.patch.yaml b/scripts/packageserver-deployment.patch.yaml
@@ -33,3 +33,16 @@
             values:
             - packageserver
         topologyKey: "kubernetes.io/hostname"
+- command: update
+  path: spec.install.spec.deployments[0].spec.template.spec.containers[*].securityContext
+  value:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["ALL"]
+- command: update
+  path: spec.install.spec.deployments[0].spec.template.spec.securityContext
+  value:
+    runAsNonRoot: true
+    runAsUser: 65534
+    seccompProfile:
+      type: RuntimeDefault
