diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/httpd.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/httpd.go index 4b04472a..6cc50db3 100644 --- a/manageiq-operator/api/v1alpha1/helpers/miq-components/httpd.go +++ b/manageiq-operator/api/v1alpha1/helpers/miq-components/httpd.go @@ -440,6 +440,7 @@ func HttpdDeployment(client client.Client, cr *miqv1alpha1.ManageIQ, scheme *run } addAnnotations(cr.Spec.AppAnnotations, &deployment.Spec.Template.ObjectMeta) deployment.Spec.Template.Spec.Containers = []corev1.Container{container} + deployment.Spec.Template.Spec.Containers[0].SecurityContext = DefaultSecurityContext() configMapVolumeSource := corev1.ConfigMapVolumeSource{LocalObjectReference: corev1.LocalObjectReference{Name: "httpd-configs"}} deployment.Spec.Template.Spec.Volumes = addOrUpdateVolume(deployment.Spec.Template.Spec.Volumes, corev1.Volume{Name: "httpd-config", VolumeSource: corev1.VolumeSource{ConfigMap: &configMapVolumeSource}}) diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/kafka.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/kafka.go index 50993319..09b4456e 100644 --- a/manageiq-operator/api/v1alpha1/helpers/miq-components/kafka.go +++ b/manageiq-operator/api/v1alpha1/helpers/miq-components/kafka.go @@ -297,6 +297,7 @@ func KafkaDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*appsv1. Type: "Recreate", } deployment.Spec.Template.Spec.Containers = []corev1.Container{container} + deployment.Spec.Template.Spec.Containers[0].SecurityContext = DefaultSecurityContext() deployment.Spec.Template.Spec.ServiceAccountName = defaultServiceAccountName(cr.Spec.AppName) var termSecs int64 = 10 deployment.Spec.Template.Spec.TerminationGracePeriodSeconds = &termSecs @@ -381,6 +382,7 @@ func ZookeeperDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme) (*app } addAnnotations(cr.Spec.AppAnnotations, &deployment.Spec.Template.ObjectMeta) deployment.Spec.Template.Spec.Containers = []corev1.Container{container} + deployment.Spec.Template.Spec.Containers[0].SecurityContext = DefaultSecurityContext() deployment.Spec.Template.Spec.ServiceAccountName = defaultServiceAccountName(cr.Spec.AppName) deployment.Spec.Template.Spec.Volumes = []corev1.Volume{ corev1.Volume{ diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/memcached.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/memcached.go index 3bc18efc..3d369567 100644 --- a/manageiq-operator/api/v1alpha1/helpers/miq-components/memcached.go +++ b/manageiq-operator/api/v1alpha1/helpers/miq-components/memcached.go @@ -94,6 +94,7 @@ func NewMemcachedDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme, cl } addAnnotations(cr.Spec.AppAnnotations, &deployment.Spec.Template.ObjectMeta) deployment.Spec.Template.Spec.Containers = []corev1.Container{container} + deployment.Spec.Template.Spec.Containers[0].SecurityContext = DefaultSecurityContext() deployment.Spec.Template.Spec.ServiceAccountName = defaultServiceAccountName(cr.Spec.AppName) addInternalCertificate(cr, deployment, client, "memcached", "/root") diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/operator.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/operator.go index b2fe1e0e..341fce21 100644 --- a/manageiq-operator/api/v1alpha1/helpers/miq-components/operator.go +++ b/manageiq-operator/api/v1alpha1/helpers/miq-components/operator.go @@ -20,6 +20,7 @@ func ManageOperator(cr *miqv1alpha1.ManageIQ, client client.Client) (*appsv1.Dep addAppLabel(cr.Spec.AppName, &deployment.ObjectMeta) addAppLabel(cr.Spec.AppName, &deployment.Spec.Template.ObjectMeta) addBackupLabel(cr.Spec.BackupLabelName, &deployment.ObjectMeta) + deployment.Spec.Template.Spec.Containers[0].SecurityContext = DefaultSecurityContext() return nil } diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/orchestrator.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/orchestrator.go index 3ad6f931..5078b9ce 100644 --- a/manageiq-operator/api/v1alpha1/helpers/miq-components/orchestrator.go +++ b/manageiq-operator/api/v1alpha1/helpers/miq-components/orchestrator.go @@ -315,6 +315,7 @@ func OrchestratorDeployment(cr *miqv1alpha1.ManageIQ, scheme *runtime.Scheme, cl updateOrchestratorEnv(cr, &deployment.Spec.Template.Spec.Containers[0]) deployment.Spec.Template.Spec.Containers[0].Image = cr.Spec.OrchestratorImage + deployment.Spec.Template.Spec.Containers[0].SecurityContext = DefaultSecurityContext() addInternalRootCertificate(cr, deployment, client) diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/postgresql.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/postgresql.go index 4973d914..776c8c8a 100644 --- a/manageiq-operator/api/v1alpha1/helpers/miq-components/postgresql.go +++ b/manageiq-operator/api/v1alpha1/helpers/miq-components/postgresql.go @@ -278,6 +278,7 @@ func PostgresqlDeployment(cr *miqv1alpha1.ManageIQ, client client.Client, scheme } addAnnotations(cr.Spec.AppAnnotations, &deployment.Spec.Template.ObjectMeta) deployment.Spec.Template.Spec.Containers = []corev1.Container{container} + deployment.Spec.Template.Spec.Containers[0].SecurityContext = DefaultSecurityContext() deployment.Spec.Template.Spec.ServiceAccountName = defaultServiceAccountName(cr.Spec.AppName) deployment.Spec.Template.Spec.Volumes = []corev1.Volume{ corev1.Volume{ diff --git a/manageiq-operator/api/v1alpha1/helpers/miq-components/util.go b/manageiq-operator/api/v1alpha1/helpers/miq-components/util.go index 3cb12142..12e93f34 100644 --- a/manageiq-operator/api/v1alpha1/helpers/miq-components/util.go +++ b/manageiq-operator/api/v1alpha1/helpers/miq-components/util.go @@ -174,3 +174,19 @@ func addOrUpdateVolume(volumes []corev1.Volume, volume corev1.Volume) []corev1.V return volumes } + +func DefaultSecurityContext() *corev1.SecurityContext { + dropCapability := []corev1.Capability{"ALL"} + varFalse := false + varTrue := true + sc := &corev1.SecurityContext{ + AllowPrivilegeEscalation: &varFalse, + Privileged: &varFalse, + Capabilities: &corev1.Capabilities{ + Drop: dropCapability, + }, + RunAsNonRoot: &varTrue, + } + + return sc +}