(psa) make workloads compatible with psa:restricted profile

With the introduction of [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces), the reccomeneded
best practice is to enforce the Restricted policy of admission (see [1] for more details).
This PR
*) Lables the olm namespace as `enforce:restricted`
*) Labels the operators namespace as `enforce:baseline` (to allow existing CSV deployments
without securityContext set to deploy in the namespace, which won't be possible with
`enforce:resticted`)
*) updates the securityContext of olm workload pods(olm-operator, catalog-operator,
and CatalogSource registry pods) to adhere to the `Restricted` policy.
*) updates the bundle unpacking job to create a pod that adheres to the `Restricted` policy,
so that bundles can be unpacked in the `Restricted` namespace.

Signed-off-by: Anik Bhattacharjee <[email protected]>

Author: anik120

Dockerfile

@@ -33,6 +33,7 @@ COPY --from=builder /build/bin/olm /bin/olm
 COPY --from=builder /build/bin/catalog /bin/catalog
 COPY --from=builder /build/bin/package-server /bin/package-server
 COPY --from=builder /build/bin/cpb /bin/cpb
+USER 1001
 EXPOSE 8080
 EXPOSE 5443
 CMD ["/bin/olm"]

Dockerfile.goreleaser

@@ -10,4 +10,5 @@ COPY package-server /bin/package-server
 COPY cpb /bin/cpb
 EXPOSE 8080
 EXPOSE 5443
+USER 1001
 ENTRYPOINT ["/bin/olm"]

cmd/catalog/main.go

@@ -30,6 +30,7 @@ const (
 	defaultOPMImage             = "quay.io/operator-framework/upstream-opm-builder:latest"
 	defaultUtilImage            = "quay.io/operator-framework/olm:latest"
 	defaultOperatorName         = ""
+	defaultWorkLoadUserID       = int64(1001)
 )
 
 // config flags defined globally so that they appear on the test binary as well
@@ -83,6 +84,10 @@ func (o *options) run(ctx context.Context, logger *logrus.Logger) error {
 		return fmt.Errorf("error configuring client: %s", err.Error())
 	}
 
+	workloadUserID := int64(-1)
+	if o.setWorkloadUserID {
+		workloadUserID = defaultWorkLoadUserID
+	}
 	// TODO(tflannag): Use options pattern for catalog operator
 	// Create a new instance of the operator.
 	op, err := catalog.NewOperator(
@@ -98,6 +103,7 @@ func (o *options) run(ctx context.Context, logger *logrus.Logger) error {
 		k8sscheme.Scheme,
 		o.installPlanTimeout,
 		o.bundleUnpackTimeout,
+		workloadUserID,
 	)
 	if err != nil {
 		return fmt.Errorf("error configuring catalog operator: %s", err.Error())

cmd/catalog/start.go

@@ -25,6 +25,7 @@ type options struct {
 	tlsKeyPath           string
 	tlsCertPath          string
 	clientCAPath         string
+	setWorkloadUserID    bool
 
 	installPlanTimeout  time.Duration
 	bundleUnpackTimeout time.Duration
@@ -66,6 +67,7 @@ func newRootCmd() *cobra.Command {
 	cmd.Flags().StringVar(&o.opmImage, "opmImage", defaultOPMImage, "the image to use for unpacking bundle content with opm")
 	cmd.Flags().StringVar(&o.utilImage, "util-image", defaultUtilImage, "an image containing custom olm utilities")
 	cmd.Flags().StringVar(&o.writeStatusName, "writeStatusName", defaultOperatorName, "ClusterOperator name in which to write status, set to \"\" to disable.")
+	cmd.Flags().BoolVar(&o.setWorkloadUserID, "set-workload-user-id", false, "set user ID for all workloads (registry pods/bundle unpack jobs to default 1001")
 
 	cmd.Flags().BoolVar(&o.debug, "debug", false, "use debug log level")
 	cmd.Flags().BoolVar(&o.version, "version", false, "displays the olm version")

deploy/chart/templates/0000_50_olm_00-namespace.yaml

@@ -2,9 +2,15 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: {{ .Values.namespace }}
+  labels: 
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
 
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
   name: {{ .Values.operator_namespace }}
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/enforce-version: latest

deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml

@@ -17,6 +17,10 @@ spec:
       labels:
         app: olm-operator
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
       {{- if or .Values.olm.tlsSecret .Values.olm.clientCASecret }}
       volumes: 
@@ -33,6 +37,10 @@ spec:
       {{- end }}
       containers:
         - name: olm-operator
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: [ "ALL" ]
           {{- if or .Values.olm.tlsSecret .Values.olm.clientCASecret }}
           volumeMounts:
           {{- end }}

deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml

@@ -17,6 +17,10 @@ spec:
       labels:
         app: catalog-operator
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
       {{- if or .Values.catalog.tlsSecret .Values.catalog.clientCASecret }}
       volumes:
@@ -33,6 +37,10 @@ spec:
       {{- end }}
       containers:
         - name: catalog-operator
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: [ "ALL" ]
           {{- if or .Values.catalog.tlsSecret .Values.catalog.clientCASecret }}
           volumeMounts:
           {{- end }}
@@ -76,6 +84,8 @@ spec:
           - --client-ca
           - /profile-collector-cert/tls.crt
           {{- end }}
+          - --set-workload-user-id
+          - "true"
           image: {{ .Values.catalog.image.ref }}
           imagePullPolicy: {{ .Values.catalog.image.pullPolicy }}
           ports:

deploy/chart/templates/_packageserver.deployment-spec.yaml

@@ -14,6 +14,10 @@ spec:
       labels:
         app: packageserver
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
       {{- if .Values.package.nodeSelector }}
       nodeSelector:
@@ -25,6 +29,10 @@ spec:
       {{- end }}
       containers:
       - name: packageserver
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: [ "ALL" ]
         command:
         - /bin/package-server
         - -v=4
@@ -61,10 +69,6 @@ spec:
         resources:
 {{ toYaml .Values.package.resources | indent 10 }}
         {{- end }}
-        {{- if .Values.package.securityContext }}
-        securityContext:
-          runAsUser: {{ .Values.package.securityContext.runAsUser }}
-        {{- end }}
         volumeMounts:
         - name: tmpfs
           mountPath: /tmp

e2e.Dockerfile

@@ -3,4 +3,5 @@ FROM busybox
 COPY olm catalog package-server wait cpb /bin/
 EXPOSE 8080
 EXPOSE 5443
+USER 1001
 CMD ["/bin/olm"]

pkg/controller/bundle/bundle_unpacker.go

@@ -22,6 +22,7 @@ import (
 	listersbatchv1 "k8s.io/client-go/listers/batch/v1"
 	listerscorev1 "k8s.io/client-go/listers/core/v1"
 	listersrbacv1 "k8s.io/client-go/listers/rbac/v1"
+	"k8s.io/utils/pointer"
 
 	"github.com/operator-framework/api/pkg/operators/reference"
 	operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
@@ -101,6 +102,11 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
 					// See: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy
 					RestartPolicy:    corev1.RestartPolicyNever,
 					ImagePullSecrets: secrets,
+					SecurityContext: &corev1.PodSecurityContext{
+						SeccompProfile: &corev1.SeccompProfile{
+							Type: corev1.SeccompProfileTypeRuntimeDefault,
+						},
+					},
 					Containers: []corev1.Container{
 						{
 							Name:  "extract",
@@ -129,6 +135,12 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
 									corev1.ResourceMemory: resource.MustParse("50Mi"),
 								},
 							},
+							SecurityContext: &corev1.SecurityContext{
+								AllowPrivilegeEscalation: pointer.Bool(false),
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"ALL"},
+								},
+							},
 						},
 					},
 					InitContainers: []corev1.Container{
@@ -148,6 +160,12 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
 									corev1.ResourceMemory: resource.MustParse("50Mi"),
 								},
 							},
+							SecurityContext: &corev1.SecurityContext{
+								AllowPrivilegeEscalation: pointer.Bool(false),
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"ALL"},
+								},
+							},
 						},
 						{
 							Name:            "pull",
@@ -170,6 +188,12 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
 									corev1.ResourceMemory: resource.MustParse("50Mi"),
 								},
 							},
+							SecurityContext: &corev1.SecurityContext{
+								AllowPrivilegeEscalation: pointer.Bool(false),
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"ALL"},
+								},
+							},
 						},
 					},
 					Volumes: []corev1.Volume{
@@ -193,7 +217,10 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
 	job.SetNamespace(cmRef.Namespace)
 	job.SetName(cmRef.Name)
 	job.SetOwnerReferences([]metav1.OwnerReference{ownerRef(cmRef)})
-
+	if c.runAsUser > 0 {
+		job.Spec.Template.Spec.SecurityContext.RunAsUser = &c.runAsUser
+		job.Spec.Template.Spec.SecurityContext.RunAsNonRoot = pointer.Bool(true)
+	}
 	// By default the BackoffLimit is set to 6 which with exponential backoff 10s + 20s + 40s ...
 	// translates to ~10m of waiting time.
 	// We want to fail faster than that when we have repeated failures from the bundle unpack pod
@@ -246,6 +273,7 @@ type ConfigMapUnpacker struct {
 	loader        *configmap.BundleLoader
 	now           func() metav1.Time
 	unpackTimeout time.Duration
+	runAsUser     int64
 }
 
 type ConfigMapUnpackerOption func(*ConfigMapUnpacker)
@@ -335,6 +363,12 @@ func WithNow(now func() metav1.Time) ConfigMapUnpackerOption {
 	}
 }
 
+func WithUserID(id int64) ConfigMapUnpackerOption {
+	return func(unpacker *ConfigMapUnpacker) {
+		unpacker.runAsUser = id
+	}
+}
+
 func (c *ConfigMapUnpacker) apply(options ...ConfigMapUnpackerOption) {
 	for _, option := range options {
 		option(c)