Skip to content

manifests/*: comply to restricted pod security level #295

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

manifests/*: comply to restricted pod security level #295

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,19 @@ spec:
labels:
app: package-server-manager
spec:
securityContext:
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
serviceAccountName: olm-operator-serviceaccount
priorityClassName: "system-cluster-critical"
containers:
- name: package-server-manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
command:
- /bin/psm
- start
Expand Down
9 changes: 9 additions & 0 deletions manifests/0000_50_olm_06-psm-operator.deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,19 @@ spec:
labels:
app: package-server-manager
spec:
securityContext:
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
serviceAccountName: olm-operator-serviceaccount
priorityClassName: "system-cluster-critical"
containers:
- name: package-server-manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
command:
- /bin/psm
- start
Expand Down
9 changes: 9 additions & 0 deletions manifests/0000_50_olm_07-collect-profiles.cronjob.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,19 @@ spec:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
serviceAccountName: collect-profiles
priorityClassName: openshift-user-critical
containers:
- name: collect-profiles
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
imagePullPolicy: IfNotPresent
command:
Expand Down
9 changes: 9 additions & 0 deletions manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,11 @@ spec:
annotations:
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
spec:
securityContext:
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
serviceAccountName: olm-operator-serviceaccount
volumes:
- name: srv-cert
Expand All @@ -31,6 +36,10 @@ spec:
secretName: pprof-cert
containers:
- name: olm-operator
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- name: srv-cert
mountPath: "/srv-cert"
Expand Down
9 changes: 9 additions & 0 deletions manifests/0000_50_olm_07-olm-operator.deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,11 @@ spec:
annotations:
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
spec:
securityContext:
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
serviceAccountName: olm-operator-serviceaccount
volumes:
- name: srv-cert
Expand All @@ -31,6 +36,10 @@ spec:
secretName: pprof-cert
containers:
- name: olm-operator
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- name: srv-cert
mountPath: "/srv-cert"
Expand Down
9 changes: 9 additions & 0 deletions manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,11 @@ spec:
annotations:
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
spec:
securityContext:
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
serviceAccountName: olm-operator-serviceaccount
volumes:
- name: srv-cert
Expand All @@ -31,6 +36,10 @@ spec:
secretName: pprof-cert
containers:
- name: catalog-operator
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- name: srv-cert
mountPath: "/srv-cert"
Expand Down
9 changes: 9 additions & 0 deletions manifests/0000_50_olm_08-catalog-operator.deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,11 @@ spec:
annotations:
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
spec:
securityContext:
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
serviceAccountName: olm-operator-serviceaccount
volumes:
- name: srv-cert
Expand All @@ -31,6 +36,10 @@ spec:
secretName: pprof-cert
containers:
- name: catalog-operator
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- name: srv-cert
mountPath: "/srv-cert"
Expand Down
9 changes: 9 additions & 0 deletions pkg/manifests/csv.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,11 @@ spec:
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
creationTimestamp: null
spec:
securityContext:
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
serviceAccountName: olm-operator-serviceaccount
nodeSelector:
kubernetes.io/os: linux
Expand All @@ -106,6 +111,10 @@ spec:
tolerationSeconds: 120
containers:
- name: packageserver
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
command:
- /bin/package-server
- -v=4
Expand Down
18 changes: 18 additions & 0 deletions scripts/generate_crds_manifests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,10 +114,19 @@ spec:
labels:
app: package-server-manager
spec:
securityContext:
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
serviceAccountName: olm-operator-serviceaccount
priorityClassName: "system-cluster-critical"
containers:
- name: package-server-manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
command:
- /bin/psm
- start
Expand Down Expand Up @@ -262,10 +271,19 @@ spec:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
serviceAccountName: collect-profiles
priorityClassName: openshift-user-critical
containers:
- name: collect-profiles
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
imagePullPolicy: IfNotPresent
command:
Expand Down
9 changes: 9 additions & 0 deletions ...ator-lifecycle-manager/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,11 @@ spec:
labels:
app: olm-operator
spec:
securityContext:
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
Comment on lines +20 to +24
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Making direct changes to the staging/* directories without attaching metadata as a commit trailer will result in the verify prowjob to unfortunately fail.

We'd either need to introduce this changes to OLM, and cherrypick the upstream commit here to make the verify check happy, or inject these securityContext blocks as downstream-only changes. I think my preference would be to push through the latter right now.

serviceAccountName: olm-operator-serviceaccount
{{- if or .Values.olm.tlsSecret .Values.olm.clientCASecret }}
volumes:
Expand All @@ -33,6 +38,10 @@ spec:
{{- end }}
containers:
- name: olm-operator
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
{{- if or .Values.olm.tlsSecret .Values.olm.clientCASecret }}
volumeMounts:
{{- end }}
Expand Down
9 changes: 9 additions & 0 deletions ...-lifecycle-manager/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,11 @@ spec:
labels:
app: catalog-operator
spec:
securityContext:
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
serviceAccountName: olm-operator-serviceaccount
{{- if or .Values.catalog.tlsSecret .Values.catalog.clientCASecret }}
volumes:
Expand All @@ -33,6 +38,10 @@ spec:
{{- end }}
containers:
- name: catalog-operator
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
{{- if or .Values.catalog.tlsSecret .Values.catalog.clientCASecret }}
volumeMounts:
{{- end }}
Expand Down
9 changes: 9 additions & 0 deletions ...ing/operator-lifecycle-manager/deploy/chart/templates/_packageserver.deployment-spec.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@ spec:
labels:
app: packageserver
spec:
securityContext:
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
serviceAccountName: olm-operator-serviceaccount
{{- if .Values.package.nodeSelector }}
nodeSelector:
Expand All @@ -25,6 +30,10 @@ spec:
{{- end }}
containers:
- name: packageserver
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
command:
- /bin/package-server
- -v=4
Expand Down