From 23b15aff764fb07ca0dbbff9e94933c54dc0cde3 Mon Sep 17 00:00:00 2001 From: Ratnakar Date: Mon, 11 Mar 2024 10:52:27 -0400 Subject: [PATCH] Disable unshare in the pod containers (#179) Signed-off-by: asararatnakar --- ...bric-opensource-operator.clusterserviceversion.yaml | 2 ++ config/manager/manager.yaml | 2 ++ ...bric-opensource-operator.clusterserviceversion.yaml | 2 ++ definitions/ca/deployment.yaml | 2 ++ definitions/console/deployment.yaml | 6 ++++++ definitions/orderer/deployment.yaml | 4 ++++ definitions/peer/chaincode-launcher.yaml | 2 ++ definitions/peer/couchdb.yaml | 2 ++ definitions/peer/deployment.yaml | 6 ++++++ pkg/offering/base/ca/override/deployment.go | 4 ++++ pkg/offering/base/console/override/deployment.go | 5 +++++ pkg/offering/base/orderer/override/deployment.go | 4 ++++ pkg/offering/base/peer/override/deployment.go | 5 +++++ pkg/offering/common/override.go | 10 ++++++++++ 14 files changed, 56 insertions(+) diff --git a/bundle/manifests/fabric-opensource-operator.clusterserviceversion.yaml b/bundle/manifests/fabric-opensource-operator.clusterserviceversion.yaml index b36b41d1..1df370ca 100644 --- a/bundle/manifests/fabric-opensource-operator.clusterserviceversion.yaml +++ b/bundle/manifests/fabric-opensource-operator.clusterserviceversion.yaml @@ -1837,6 +1837,8 @@ spec: ephemeral-storage: 100Mi memory: 200Mi securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 61c2b02d..ae2180eb 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -98,6 +98,8 @@ spec: memory: 200Mi ephemeral-storage: 100Mi securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: diff --git a/config/manifests/bases/fabric-opensource-operator.clusterserviceversion.yaml b/config/manifests/bases/fabric-opensource-operator.clusterserviceversion.yaml index 5c58efbf..35b7f2a2 100644 --- a/config/manifests/bases/fabric-opensource-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/fabric-opensource-operator.clusterserviceversion.yaml @@ -1834,6 +1834,8 @@ spec: ephemeral-storage: 100Mi memory: 200Mi securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: diff --git a/definitions/ca/deployment.yaml b/definitions/ca/deployment.yaml index 7522edf4..5bf00f9a 100644 --- a/definitions/ca/deployment.yaml +++ b/definitions/ca/deployment.yaml @@ -74,6 +74,8 @@ spec: ephemeral-storage: 100M memory: 100Mi securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: diff --git a/definitions/console/deployment.yaml b/definitions/console/deployment.yaml index c62800ef..98514e7d 100644 --- a/definitions/console/deployment.yaml +++ b/definitions/console/deployment.yaml @@ -62,6 +62,8 @@ spec: ephemeral-storage: 100M memory: 1000Mi securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: @@ -110,6 +112,8 @@ spec: ephemeral-storage: 100M memory: 200Mi securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: @@ -160,6 +164,8 @@ spec: ephemeral-storage: 100M memory: 50Mi securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: diff --git a/definitions/orderer/deployment.yaml b/definitions/orderer/deployment.yaml index a5cc1bde..38b30c58 100644 --- a/definitions/orderer/deployment.yaml +++ b/definitions/orderer/deployment.yaml @@ -72,6 +72,8 @@ spec: ephemeral-storage: 100M memory: 100Mi securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: @@ -165,6 +167,8 @@ spec: ephemeral-storage: 100M memory: 100Mi securityContext: + seccompProfile: + type: RuntimeDefault capabilities: add: - NET_BIND_SERVICE diff --git a/definitions/peer/chaincode-launcher.yaml b/definitions/peer/chaincode-launcher.yaml index ac880f4c..fc60fa3e 100644 --- a/definitions/peer/chaincode-launcher.yaml +++ b/definitions/peer/chaincode-launcher.yaml @@ -18,6 +18,8 @@ name: "chaincode-launcher" imagePullPolicy: Always securityContext: + seccompProfile: + type: RuntimeDefault privileged: false readOnlyRootFileSystem: false runAsGroup: 7051 diff --git a/definitions/peer/couchdb.yaml b/definitions/peer/couchdb.yaml index 8e40dd58..eff94a7f 100644 --- a/definitions/peer/couchdb.yaml +++ b/definitions/peer/couchdb.yaml @@ -19,6 +19,8 @@ name: "couchdb" image: "" imagePullPolicy: Always securityContext: + seccompProfile: + type: RuntimeDefault privileged: false readOnlyRootFileSystem: false runAsGroup: 5984 diff --git a/definitions/peer/deployment.yaml b/definitions/peer/deployment.yaml index 8df7b2d8..aa21f038 100644 --- a/definitions/peer/deployment.yaml +++ b/definitions/peer/deployment.yaml @@ -59,6 +59,8 @@ spec: cpu: 500m memory: 1000M securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: true capabilities: add: @@ -136,6 +138,8 @@ spec: cpu: 200m memory: 400M securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: @@ -218,6 +222,8 @@ spec: cpu: 100m memory: 200M securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: diff --git a/pkg/offering/base/ca/override/deployment.go b/pkg/offering/base/ca/override/deployment.go index 4e9077da..6773852b 100644 --- a/pkg/offering/base/ca/override/deployment.go +++ b/pkg/offering/base/ca/override/deployment.go @@ -33,6 +33,7 @@ import ( "github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/deployment" dep "github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/deployment" "github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/serviceaccount" + "github.com/IBM-Blockchain/fabric-operator/pkg/offering/common" "github.com/IBM-Blockchain/fabric-operator/pkg/util" appsv1 "k8s.io/api/apps/v1" @@ -182,6 +183,9 @@ func (o *Override) CommonDeployment(instance *current.IBPCA, deployment *dep.Dep deployment.SetReplicas(instance.Spec.Replicas) } + // set seccompProfile to RuntimeDefault + common.GetPodSecurityContext(caCont) + return nil } diff --git a/pkg/offering/base/console/override/deployment.go b/pkg/offering/base/console/override/deployment.go index b65add0b..252089bb 100644 --- a/pkg/offering/base/console/override/deployment.go +++ b/pkg/offering/base/console/override/deployment.go @@ -319,6 +319,11 @@ func (o *Override) CommonDeployment(instance *current.IBPConsole, deployment *de } init.SetCommand([]string{"sh", "-c", initCommand}) + // set seccompProfile to RuntimeDefault + common.GetPodSecurityContext(console) + common.GetPodSecurityContext(deployer) + common.GetPodSecurityContext(configtxlator) + return nil } diff --git a/pkg/offering/base/orderer/override/deployment.go b/pkg/offering/base/orderer/override/deployment.go index 35a97a1b..45c60c0c 100644 --- a/pkg/offering/base/orderer/override/deployment.go +++ b/pkg/offering/base/orderer/override/deployment.go @@ -317,6 +317,10 @@ func (o *Override) CommonDeploymentOverrides(instance *current.IBPOrderer, deplo deployment.UpdateContainer(grpcProxy) deployment.UpdateInitContainer(initCont) + // set seccompProfile to RuntimeDefault + common.GetPodSecurityContext(orderer) + common.GetPodSecurityContext(grpcProxy) + return nil } diff --git a/pkg/offering/base/peer/override/deployment.go b/pkg/offering/base/peer/override/deployment.go index 49ce5d6d..9fd49162 100644 --- a/pkg/offering/base/peer/override/deployment.go +++ b/pkg/offering/base/peer/override/deployment.go @@ -756,6 +756,11 @@ func (o *Override) CommonDeploymentOverrides(instance *current.IBPPeer, deployme deployment.UpdateContainer(peerContainer) deployment.UpdateContainer(grpcContainer) + + // set seccompProfile to RuntimeDefault + common.GetPodSecurityContext(peerContainer) + common.GetPodSecurityContext(grpcContainer) + return nil } diff --git a/pkg/offering/common/override.go b/pkg/offering/common/override.go index 29a4e941..d6ee83f9 100644 --- a/pkg/offering/common/override.go +++ b/pkg/offering/common/override.go @@ -19,6 +19,7 @@ package common import ( + container "github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/container" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -106,3 +107,12 @@ func GetPodAntiAffinity(orgName string) *corev1.PodAntiAffinity { }, } } + +func GetPodSecurityContext(con container.Container) { + secContext := con.SecurityContext + if secContext.SeccompProfile == nil { + secContext.SeccompProfile = &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + } + } +}