Skip to content

Commit

Permalink
Merge pull request ManageIQ#928 from bdunne/security_context
Browse files Browse the repository at this point in the history 
Apply a default security context to the containers
  • Loading branch information
@Fryguy
Fryguy authored Jan 10, 2023
2 parents 9c60cf1 + 1555870 commit a0068ee
Show file tree
Hide file tree
Showing 7 changed files with 23 additions and 0 deletions.
1 change: 1 addition & 0 deletions manageiq-operator/api/v1alpha1/helpers/miq-components/httpd.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -440,6 +440,7 @@ func HttpdDeployment(client client.Client, cr *miqv1alpha1.ManageIQ, scheme *run
}
addAnnotations(cr.Spec.AppAnnotations, &deployment.Spec.Template.ObjectMeta)
deployment.Spec.Template.Spec.Containers = []corev1.Container{container}
deployment.Spec.Template.Spec.Containers[0].SecurityContext = DefaultSecurityContext()

configMapVolumeSource := corev1.ConfigMapVolumeSource{LocalObjectReference: corev1.LocalObjectReference{Name: "httpd-configs"}}
deployment.Spec.Template.Spec.Volumes = addOrUpdateVolume(deployment.Spec.Template.Spec.Volumes, corev1.Volume{Name: "httpd-config", VolumeSource: corev1.VolumeSource{ConfigMap: &configMapVolumeSource}})
Expand Down
2 changes: 2 additions & 0 deletions manageiq-operator/api/v1alpha1/helpers/miq-components/kafka.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,7 @@ func KafkaDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*appsv1.
Type: "Recreate",
}
deployment.Spec.Template.Spec.Containers = []corev1.Container{container}
deployment.Spec.Template.Spec.Containers[0].SecurityContext = DefaultSecurityContext()
deployment.Spec.Template.Spec.ServiceAccountName = defaultServiceAccountName(cr.Spec.AppName)
var termSecs int64 = 10
deployment.Spec.Template.Spec.TerminationGracePeriodSeconds = &termSecs
Expand Down Expand Up @@ -381,6 +382,7 @@ func ZookeeperDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*app
}
addAnnotations(cr.Spec.AppAnnotations, &deployment.Spec.Template.ObjectMeta)
deployment.Spec.Template.Spec.Containers = []corev1.Container{container}
deployment.Spec.Template.Spec.Containers[0].SecurityContext = DefaultSecurityContext()
deployment.Spec.Template.Spec.ServiceAccountName = defaultServiceAccountName(cr.Spec.AppName)
deployment.Spec.Template.Spec.Volumes = []corev1.Volume{
corev1.Volume{
Expand Down
1 change: 1 addition & 0 deletions manageiq-operator/api/v1alpha1/helpers/miq-components/memcached.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@ func NewMemcachedDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme, cl
}
addAnnotations(cr.Spec.AppAnnotations, &deployment.Spec.Template.ObjectMeta)
deployment.Spec.Template.Spec.Containers = []corev1.Container{container}
deployment.Spec.Template.Spec.Containers[0].SecurityContext = DefaultSecurityContext()
deployment.Spec.Template.Spec.ServiceAccountName = defaultServiceAccountName(cr.Spec.AppName)

addInternalCertificate(cr, deployment, client, "memcached", "/root")
Expand Down
1 change: 1 addition & 0 deletions manageiq-operator/api/v1alpha1/helpers/miq-components/operator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ func ManageOperator(cr *miqv1alpha1.ManageIQ, client client.Client) (*appsv1.Dep
addAppLabel(cr.Spec.AppName, &deployment.ObjectMeta)
addAppLabel(cr.Spec.AppName, &deployment.Spec.Template.ObjectMeta)
addBackupLabel(cr.Spec.BackupLabelName, &deployment.ObjectMeta)
deployment.Spec.Template.Spec.Containers[0].SecurityContext = DefaultSecurityContext()

return nil
}
Expand Down
1 change: 1 addition & 0 deletions manageiq-operator/api/v1alpha1/helpers/miq-components/orchestrator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -315,6 +315,7 @@ func OrchestratorDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme, cl

updateOrchestratorEnv(cr, &deployment.Spec.Template.Spec.Containers[0])
deployment.Spec.Template.Spec.Containers[0].Image = cr.Spec.OrchestratorImage
deployment.Spec.Template.Spec.Containers[0].SecurityContext = DefaultSecurityContext()

addInternalRootCertificate(cr, deployment, client)

Expand Down
1 change: 1 addition & 0 deletions manageiq-operator/api/v1alpha1/helpers/miq-components/postgresql.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -278,6 +278,7 @@ func PostgresqlDeployment(cr *miqv1alpha1.ManageIQ, client client.Client, scheme
}
addAnnotations(cr.Spec.AppAnnotations, &deployment.Spec.Template.ObjectMeta)
deployment.Spec.Template.Spec.Containers = []corev1.Container{container}
deployment.Spec.Template.Spec.Containers[0].SecurityContext = DefaultSecurityContext()
deployment.Spec.Template.Spec.ServiceAccountName = defaultServiceAccountName(cr.Spec.AppName)
deployment.Spec.Template.Spec.Volumes = []corev1.Volume{
corev1.Volume{
Expand Down
16 changes: 16 additions & 0 deletions manageiq-operator/api/v1alpha1/helpers/miq-components/util.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,3 +174,19 @@ func addOrUpdateVolume(volumes []corev1.Volume, volume corev1.Volume) []corev1.V

return volumes
}

func DefaultSecurityContext() *corev1.SecurityContext {
dropCapability := []corev1.Capability{"ALL"}
varFalse := false
varTrue := true
sc := &corev1.SecurityContext{
AllowPrivilegeEscalation: &varFalse,
Privileged: &varFalse,
Capabilities: &corev1.Capabilities{
Drop: dropCapability,
},
RunAsNonRoot: &varTrue,
}

return sc
}

0 comments on commit a0068ee

Please sign in to comment.