diff --git a/bundle/manifests/fabric-opensource-operator.clusterserviceversion.yaml b/bundle/manifests/fabric-opensource-operator.clusterserviceversion.yaml index a85ba82b..67cc6122 100644 --- a/bundle/manifests/fabric-opensource-operator.clusterserviceversion.yaml +++ b/bundle/manifests/fabric-opensource-operator.clusterserviceversion.yaml @@ -1816,6 +1816,8 @@ spec: ephemeral-storage: 100Mi memory: 200Mi securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 61c2b02d..ae2180eb 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -98,6 +98,8 @@ spec: memory: 200Mi ephemeral-storage: 100Mi securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: diff --git a/config/manifests/bases/fabric-opensource-operator.clusterserviceversion.yaml b/config/manifests/bases/fabric-opensource-operator.clusterserviceversion.yaml index a53f647d..966f2946 100644 --- a/config/manifests/bases/fabric-opensource-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/fabric-opensource-operator.clusterserviceversion.yaml @@ -1813,6 +1813,8 @@ spec: ephemeral-storage: 100Mi memory: 200Mi securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: diff --git a/definitions/ca/deployment.yaml b/definitions/ca/deployment.yaml index 7522edf4..5bf00f9a 100644 --- a/definitions/ca/deployment.yaml +++ b/definitions/ca/deployment.yaml @@ -74,6 +74,8 @@ spec: ephemeral-storage: 100M memory: 100Mi securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: diff --git a/definitions/console/deployment.yaml b/definitions/console/deployment.yaml index c62800ef..98514e7d 100644 --- a/definitions/console/deployment.yaml +++ b/definitions/console/deployment.yaml @@ -62,6 +62,8 @@ spec: ephemeral-storage: 100M memory: 1000Mi securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: @@ -110,6 +112,8 @@ spec: ephemeral-storage: 100M memory: 200Mi securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: @@ -160,6 +164,8 @@ spec: ephemeral-storage: 100M memory: 50Mi securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: diff --git a/definitions/orderer/deployment.yaml b/definitions/orderer/deployment.yaml index a5cc1bde..38b30c58 100644 --- a/definitions/orderer/deployment.yaml +++ b/definitions/orderer/deployment.yaml @@ -72,6 +72,8 @@ spec: ephemeral-storage: 100M memory: 100Mi securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: @@ -165,6 +167,8 @@ spec: ephemeral-storage: 100M memory: 100Mi securityContext: + seccompProfile: + type: RuntimeDefault capabilities: add: - NET_BIND_SERVICE diff --git a/definitions/peer/chaincode-launcher.yaml b/definitions/peer/chaincode-launcher.yaml index ac880f4c..fc60fa3e 100644 --- a/definitions/peer/chaincode-launcher.yaml +++ b/definitions/peer/chaincode-launcher.yaml @@ -18,6 +18,8 @@ name: "chaincode-launcher" imagePullPolicy: Always securityContext: + seccompProfile: + type: RuntimeDefault privileged: false readOnlyRootFileSystem: false runAsGroup: 7051 diff --git a/definitions/peer/couchdb.yaml b/definitions/peer/couchdb.yaml index 8e40dd58..eff94a7f 100644 --- a/definitions/peer/couchdb.yaml +++ b/definitions/peer/couchdb.yaml @@ -19,6 +19,8 @@ name: "couchdb" image: "" imagePullPolicy: Always securityContext: + seccompProfile: + type: RuntimeDefault privileged: false readOnlyRootFileSystem: false runAsGroup: 5984 diff --git a/definitions/peer/deployment.yaml b/definitions/peer/deployment.yaml index a6276f97..ab5c85af 100644 --- a/definitions/peer/deployment.yaml +++ b/definitions/peer/deployment.yaml @@ -33,6 +33,50 @@ spec: - env: - name: LICENSE value: accept +<<<<<<< HEAD +======= + image: "" + imagePullPolicy: Always + livenessProbe: + failureThreshold: 6 + initialDelaySeconds: 30 + tcpSocket: + port: 2375 + timeoutSeconds: 5 + name: dind + ports: + - containerPort: 2375 + readinessProbe: + exec: + command: + - readiness.sh + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 5 + resources: + limits: + cpu: 500m + memory: 1000M + requests: + cpu: 500m + memory: 1000M + securityContext: + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: true + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsNonRoot: false + runAsUser: 0 + - env: + - name: LICENSE + value: accept +>>>>>>> 23b15af (Disable unshare in the pod containers (#179)) - name: CORE_PEER_LISTENADDRESS value: 0.0.0.0:7051 - name: CORE_PEER_CHAINCODELISTENADDRESS @@ -97,6 +141,8 @@ spec: cpu: 200m memory: 400M securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: @@ -179,6 +225,8 @@ spec: cpu: 100m memory: 200M securityContext: + seccompProfile: + type: RuntimeDefault allowPrivilegeEscalation: false capabilities: add: diff --git a/pkg/offering/base/ca/override/deployment.go b/pkg/offering/base/ca/override/deployment.go index 4e9077da..6773852b 100644 --- a/pkg/offering/base/ca/override/deployment.go +++ b/pkg/offering/base/ca/override/deployment.go @@ -33,6 +33,7 @@ import ( "github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/deployment" dep "github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/deployment" "github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/serviceaccount" + "github.com/IBM-Blockchain/fabric-operator/pkg/offering/common" "github.com/IBM-Blockchain/fabric-operator/pkg/util" appsv1 "k8s.io/api/apps/v1" @@ -182,6 +183,9 @@ func (o *Override) CommonDeployment(instance *current.IBPCA, deployment *dep.Dep deployment.SetReplicas(instance.Spec.Replicas) } + // set seccompProfile to RuntimeDefault + common.GetPodSecurityContext(caCont) + return nil } diff --git a/pkg/offering/base/console/override/deployment.go b/pkg/offering/base/console/override/deployment.go index b65add0b..252089bb 100644 --- a/pkg/offering/base/console/override/deployment.go +++ b/pkg/offering/base/console/override/deployment.go @@ -319,6 +319,11 @@ func (o *Override) CommonDeployment(instance *current.IBPConsole, deployment *de } init.SetCommand([]string{"sh", "-c", initCommand}) + // set seccompProfile to RuntimeDefault + common.GetPodSecurityContext(console) + common.GetPodSecurityContext(deployer) + common.GetPodSecurityContext(configtxlator) + return nil } diff --git a/pkg/offering/base/orderer/override/deployment.go b/pkg/offering/base/orderer/override/deployment.go index 35a97a1b..45c60c0c 100644 --- a/pkg/offering/base/orderer/override/deployment.go +++ b/pkg/offering/base/orderer/override/deployment.go @@ -317,6 +317,10 @@ func (o *Override) CommonDeploymentOverrides(instance *current.IBPOrderer, deplo deployment.UpdateContainer(grpcProxy) deployment.UpdateInitContainer(initCont) + // set seccompProfile to RuntimeDefault + common.GetPodSecurityContext(orderer) + common.GetPodSecurityContext(grpcProxy) + return nil } diff --git a/pkg/offering/base/peer/override/deployment.go b/pkg/offering/base/peer/override/deployment.go index 8cf4352e..accf4759 100644 --- a/pkg/offering/base/peer/override/deployment.go +++ b/pkg/offering/base/peer/override/deployment.go @@ -732,6 +732,11 @@ func (o *Override) CommonDeploymentOverrides(instance *current.IBPPeer, deployme deployment.UpdateContainer(peerContainer) deployment.UpdateContainer(grpcContainer) + + // set seccompProfile to RuntimeDefault + common.GetPodSecurityContext(peerContainer) + common.GetPodSecurityContext(grpcContainer) + return nil } diff --git a/pkg/offering/common/override.go b/pkg/offering/common/override.go index 29a4e941..d6ee83f9 100644 --- a/pkg/offering/common/override.go +++ b/pkg/offering/common/override.go @@ -19,6 +19,7 @@ package common import ( + container "github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/container" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -106,3 +107,12 @@ func GetPodAntiAffinity(orgName string) *corev1.PodAntiAffinity { }, } } + +func GetPodSecurityContext(con container.Container) { + secContext := con.SecurityContext + if secContext.SeccompProfile == nil { + secContext.SeccompProfile = &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + } + } +}