Update CatalogSource Pod security context

Signed-off-by: perdasilva <[email protected]>

Author: perdasilva

pkg/controller/registry/reconciler/reconciler.go

@@ -113,7 +113,13 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
 		pullPolicy = corev1.PullAlways
 	}
 
+	// Security context
 	readOnlyRootFilesystem := false
+	allowPrivilegeEscalation := false
+	runAsNonRoot := true
+
+	// See: https://github.com/operator-framework/operator-registry/blob/master/Dockerfile#L27
+	runAsUser := int64(1001)
 
 	pod := &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
@@ -167,12 +173,23 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name string, image string, saN
 						},
 					},
 					SecurityContext: &corev1.SecurityContext{
-						ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
+						ReadOnlyRootFilesystem:   &readOnlyRootFilesystem,
+						AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+						Capabilities: &corev1.Capabilities{
+							Drop: []corev1.Capability{"ALL"},
+						},
 					},
 					ImagePullPolicy:          pullPolicy,
 					TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
 				},
 			},
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsNonRoot: &runAsNonRoot,
+				RunAsUser:    &runAsUser,
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+			},
 			NodeSelector: map[string]string{
 				"kubernetes.io/os": "linux",
 			},

pkg/controller/registry/reconciler/reconciler_test.go

@@ -79,8 +79,23 @@ func TestPullPolicy(t *testing.T) {
 
 func TestPodContainerSecurityContext(t *testing.T) {
 	expectedReadOnlyRootFilesystem := false
+	expectedAllowPrivilegeEscalation := false
+	expectedRunAsNonRoot := true
+	expectedRunAsUser := int64(1001)
+
 	expectedContainerSecCtx := &corev1.SecurityContext{
-		ReadOnlyRootFilesystem: &expectedReadOnlyRootFilesystem,
+		ReadOnlyRootFilesystem:   &expectedReadOnlyRootFilesystem,
+		AllowPrivilegeEscalation: &expectedAllowPrivilegeEscalation,
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+	}
+	expectedPodSecCtx := &corev1.PodSecurityContext{
+		RunAsNonRoot: &expectedRunAsNonRoot,
+		RunAsUser:    &expectedRunAsUser,
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
 	}
 
 	catsrc := &v1alpha1.CatalogSource{
@@ -92,7 +107,9 @@ func TestPodContainerSecurityContext(t *testing.T) {
 
 	gotPod := Pod(catsrc, "hello", "busybox", "", map[string]string{}, map[string]string{}, int32(0), int32(0))
 	gotContainerSecCtx := gotPod.Spec.Containers[0].SecurityContext
+	gotPodSecCtx := gotPod.Spec.SecurityContext
 	require.Equal(t, expectedContainerSecCtx, gotContainerSecCtx)
+	require.Equal(t, expectedPodSecCtx, gotPodSecCtx)
 }
 
 func TestPodSchedulingOverrides(t *testing.T) {