Disable unshare in the pod containers (#179)

Signed-off-by: asararatnakar <[email protected]> Signed-off-by: Shoaeb Jindani <[email protected]>
hyperledger-labs · Mar 21, 2024 · f612cb2 · f612cb2
1 parent 6ebcc7e
commit f612cb2
Show file tree

Hide file tree

Showing 13 changed files with 50 additions and 0 deletions.
diff --git a/bundle/manifests/fabric-opensource-operator.clusterserviceversion.yaml b/bundle/manifests/fabric-opensource-operator.clusterserviceversion.yaml
@@ -1816,6 +1816,8 @@ spec:
                     ephemeral-storage: 100Mi
                     memory: 200Mi
                 securityContext:
+                  seccompProfile:
+                    type: RuntimeDefault
                   allowPrivilegeEscalation: false
                   capabilities:
                     add:

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -98,6 +98,8 @@ spec:
               memory: 200Mi
               ephemeral-storage: 100Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:

diff --git a/config/manifests/bases/fabric-opensource-operator.clusterserviceversion.yaml b/config/manifests/bases/fabric-opensource-operator.clusterserviceversion.yaml
@@ -1813,6 +1813,8 @@ spec:
                     ephemeral-storage: 100Mi
                     memory: 200Mi
                 securityContext:
+                  seccompProfile:
+                    type: RuntimeDefault
                   allowPrivilegeEscalation: false
                   capabilities:
                     add:

diff --git a/definitions/ca/deployment.yaml b/definitions/ca/deployment.yaml
@@ -74,6 +74,8 @@ spec:
               ephemeral-storage: 100M
               memory: 100Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:

diff --git a/definitions/console/deployment.yaml b/definitions/console/deployment.yaml
@@ -62,6 +62,8 @@ spec:
               ephemeral-storage: 100M
               memory: 1000Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:
@@ -110,6 +112,8 @@ spec:
               ephemeral-storage: 100M
               memory: 200Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:
@@ -160,6 +164,8 @@ spec:
               ephemeral-storage: 100M
               memory: 50Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:

diff --git a/definitions/orderer/deployment.yaml b/definitions/orderer/deployment.yaml
@@ -72,6 +72,8 @@ spec:
               ephemeral-storage: 100M
               memory: 100Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:
@@ -165,6 +167,8 @@ spec:
               ephemeral-storage: 100M
               memory: 100Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             capabilities:
               add:
                 - NET_BIND_SERVICE

diff --git a/definitions/peer/chaincode-launcher.yaml b/definitions/peer/chaincode-launcher.yaml
@@ -18,6 +18,8 @@
 name: "chaincode-launcher"
 imagePullPolicy: Always
 securityContext:
+  seccompProfile:
+    type: RuntimeDefault
   privileged: false
   readOnlyRootFileSystem: false
   runAsGroup: 7051

diff --git a/definitions/peer/couchdb.yaml b/definitions/peer/couchdb.yaml
@@ -19,6 +19,8 @@ name: "couchdb"
 image: ""
 imagePullPolicy: Always
 securityContext:
+  seccompProfile:
+    type: RuntimeDefault
   privileged: false
   readOnlyRootFileSystem: false
   runAsGroup: 5984

diff --git a/pkg/offering/base/ca/override/deployment.go b/pkg/offering/base/ca/override/deployment.go
@@ -33,6 +33,7 @@ import (
 	"github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/deployment"
 	dep "github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/deployment"
 	"github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/serviceaccount"
+	"github.com/IBM-Blockchain/fabric-operator/pkg/offering/common"
 	"github.com/IBM-Blockchain/fabric-operator/pkg/util"
 
 	appsv1 "k8s.io/api/apps/v1"
@@ -182,6 +183,9 @@ func (o *Override) CommonDeployment(instance *current.IBPCA, deployment *dep.Dep
 		deployment.SetReplicas(instance.Spec.Replicas)
 	}
 
+	// set seccompProfile to RuntimeDefault
+	common.GetPodSecurityContext(caCont)
+
 	return nil
 }
 

diff --git a/pkg/offering/base/console/override/deployment.go b/pkg/offering/base/console/override/deployment.go
@@ -319,6 +319,11 @@ func (o *Override) CommonDeployment(instance *current.IBPConsole, deployment *de
 	}
 	init.SetCommand([]string{"sh", "-c", initCommand})
 
+	// set seccompProfile to RuntimeDefault
+	common.GetPodSecurityContext(console)
+	common.GetPodSecurityContext(deployer)
+	common.GetPodSecurityContext(configtxlator)
+
 	return nil
 }
 

diff --git a/pkg/offering/base/orderer/override/deployment.go b/pkg/offering/base/orderer/override/deployment.go
@@ -317,6 +317,10 @@ func (o *Override) CommonDeploymentOverrides(instance *current.IBPOrderer, deplo
 	deployment.UpdateContainer(grpcProxy)
 	deployment.UpdateInitContainer(initCont)
 
+	// set seccompProfile to RuntimeDefault
+	common.GetPodSecurityContext(orderer)
+	common.GetPodSecurityContext(grpcProxy)
+
 	return nil
 }
 

diff --git a/pkg/offering/base/peer/override/deployment.go b/pkg/offering/base/peer/override/deployment.go
@@ -732,6 +732,11 @@ func (o *Override) CommonDeploymentOverrides(instance *current.IBPPeer, deployme
 
 	deployment.UpdateContainer(peerContainer)
 	deployment.UpdateContainer(grpcContainer)
+
+	// set seccompProfile to RuntimeDefault
+	common.GetPodSecurityContext(peerContainer)
+	common.GetPodSecurityContext(grpcContainer)
+
 	return nil
 }
 

diff --git a/pkg/offering/common/override.go b/pkg/offering/common/override.go
@@ -19,6 +19,7 @@
 package common
 
 import (
+	container "github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/container"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -106,3 +107,12 @@ func GetPodAntiAffinity(orgName string) *corev1.PodAntiAffinity {
 		},
 	}
 }
+
+func GetPodSecurityContext(con container.Container) {
+	secContext := con.SecurityContext
+	if secContext.SeccompProfile == nil {
+		secContext.SeccompProfile = &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		}
+	}
+}