WIP: placeholder

anik120 · anik120 · commit 1c4ab431e651 · 2022-07-22T19:28:48.000-04:00
diff --git a/deploy/chart/templates/0000_50_olm_00-namespace.yaml b/deploy/chart/templates/0000_50_olm_00-namespace.yaml
@@ -2,9 +2,13 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: {{ .Values.namespace }}
+  labels: 
+    pod-security.kubernetes.io/enforce: restricted
 
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
   name: {{ .Values.operator_namespace }}
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
diff --git a/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml b/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml
@@ -17,6 +17,13 @@ spec:
       labels:
         app: olm-operator
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+        {{- if eq .Values.installType "upstream" }}
+        runAsUser: {{ .Values.package.securityContext.runAsUser }}
+        {{- end }}
       serviceAccountName: olm-operator-serviceaccount
       {{- if or .Values.olm.tlsSecret .Values.olm.clientCASecret }}
       volumes: 
@@ -33,6 +40,10 @@ spec:
       {{- end }}
       containers:
         - name: olm-operator
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: [ "ALL" ]
           {{- if or .Values.olm.tlsSecret .Values.olm.clientCASecret }}
           volumeMounts:
           {{- end }}
diff --git a/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml b/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml
@@ -17,6 +17,13 @@ spec:
       labels:
         app: catalog-operator
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+        {{- if eq .Values.installType "upstream" }}
+        runAsUser: {{ .Values.package.securityContext.runAsUser }}
+        {{- end }}
       serviceAccountName: olm-operator-serviceaccount
       {{- if or .Values.catalog.tlsSecret .Values.catalog.clientCASecret }}
       volumes:
@@ -33,6 +40,10 @@ spec:
       {{- end }}
       containers:
         - name: catalog-operator
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: [ "ALL" ]
           {{- if or .Values.catalog.tlsSecret .Values.catalog.clientCASecret }}
           volumeMounts:
           {{- end }}
diff --git a/deploy/chart/templates/_packageserver.deployment-spec.yaml b/deploy/chart/templates/_packageserver.deployment-spec.yaml
@@ -14,6 +14,13 @@ spec:
       labels:
         app: packageserver
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+        {{- if eq .Values.installType "upstream" }}
+        runAsUser: {{ .Values.package.securityContext.runAsUser }}
+        {{- end }}
       serviceAccountName: olm-operator-serviceaccount
       {{- if .Values.package.nodeSelector }}
       nodeSelector:
@@ -25,6 +32,10 @@ spec:
       {{- end }}
       containers:
       - name: packageserver
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: [ "ALL" ]
         command:
         - /bin/package-server
         - -v=4
@@ -61,10 +72,6 @@ spec:
         resources:
 {{ toYaml .Values.package.resources | indent 10 }}
         {{- end }}
-        {{- if .Values.package.securityContext }}
-        securityContext:
-          runAsUser: {{ .Values.package.securityContext.runAsUser }}
-        {{- end }}
         volumeMounts:
         - name: tmpfs
           mountPath: /tmp
diff --git a/deploy/chart/values.yaml b/deploy/chart/values.yaml
@@ -53,6 +53,8 @@ package:
     internalPort: 5443
   nodeSelector:
     kubernetes.io/os: linux
+  securityContext: 
+    runAsUser: 1001
   resources:
     requests:
      cpu: 10m
diff --git a/pkg/controller/registry/reconciler/reconciler.go b/pkg/controller/registry/reconciler/reconciler.go
@@ -126,6 +126,9 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
 	}
 
 	readOnlyRootFilesystem := false
+	allowPrivilegeEscalation := false
+	runAsNonRoot := true
+	runAsUser := int64(1001)
 
 	pod := &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
@@ -179,7 +182,11 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
 						},
 					},
 					SecurityContext: &corev1.SecurityContext{
-						ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
+						ReadOnlyRootFilesystem:   &readOnlyRootFilesystem,
+						AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+						Capabilities: &corev1.Capabilities{
+							Drop: []corev1.Capability{"ALL"},
+						},
 					},
 					ImagePullPolicy:          pullPolicy,
 					TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
@@ -188,6 +195,14 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
 			NodeSelector: map[string]string{
 				"kubernetes.io/os": "linux",
 			},
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsNonRoot: &runAsNonRoot,
+				// WIP note: this needs to be delete in downstream code (SCC will assign a userID)
+				RunAsUser: &runAsUser,
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+			},
 			ServiceAccountName: saName,
 		},
 	}
