From 76325830dbf450721e1de7f857804269e0185e17 Mon Sep 17 00:00:00 2001 From: Thibault Mange <22740367+thibaultmg@users.noreply.github.com> Date: Wed, 15 May 2024 16:04:42 +0200 Subject: [PATCH] [ACM-11093]: apply security context for microshift (#1422) * apply security restrictions Signed-off-by: Thibault Mange <22740367+thibaultmg@users.noreply.github.com> * add privileged Signed-off-by: Thibault Mange <22740367+thibaultmg@users.noreply.github.com> --------- Signed-off-by: Thibault Mange <22740367+thibaultmg@users.noreply.github.com> --- .../kube-state-metrics-deployment.yaml | 25 +++++++++++++------ .../prometheus/node-exporter-clusterRole.yaml | 9 +++++++ .../prometheus/node-exporter-daemonset.yaml | 22 ++++++++++++---- 3 files changed, 44 insertions(+), 12 deletions(-) diff --git a/operators/endpointmetrics/manifests/prometheus/kube-state-metrics-deployment.yaml b/operators/endpointmetrics/manifests/prometheus/kube-state-metrics-deployment.yaml index 59dbee9b3..1702b1201 100644 --- a/operators/endpointmetrics/manifests/prometheus/kube-state-metrics-deployment.yaml +++ b/operators/endpointmetrics/manifests/prometheus/kube-state-metrics-deployment.yaml @@ -36,7 +36,10 @@ spec: cpu: 10m memory: 190Mi securityContext: - runAsUser: 65534 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL - args: - --logtostderr - --secure-listen-address=:8443 @@ -55,9 +58,10 @@ spec: cpu: 20m memory: 20Mi securityContext: - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL - args: - --logtostderr - --secure-listen-address=:9443 @@ -76,9 +80,16 @@ spec: cpu: 10m memory: 20Mi securityContext: - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux serviceAccountName: kube-state-metrics diff --git a/operators/endpointmetrics/manifests/prometheus/node-exporter-clusterRole.yaml b/operators/endpointmetrics/manifests/prometheus/node-exporter-clusterRole.yaml index ad783ae9b..43c76d8b1 100644 --- a/operators/endpointmetrics/manifests/prometheus/node-exporter-clusterRole.yaml +++ b/operators/endpointmetrics/manifests/prometheus/node-exporter-clusterRole.yaml @@ -15,3 +15,12 @@ rules: - subjectaccessreviews verbs: - create +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use + diff --git a/operators/endpointmetrics/manifests/prometheus/node-exporter-daemonset.yaml b/operators/endpointmetrics/manifests/prometheus/node-exporter-daemonset.yaml index cc2bdc2f5..39c903973 100644 --- a/operators/endpointmetrics/manifests/prometheus/node-exporter-daemonset.yaml +++ b/operators/endpointmetrics/manifests/prometheus/node-exporter-daemonset.yaml @@ -36,6 +36,13 @@ spec: requests: cpu: 102m memory: 200Mi + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL volumeMounts: - mountPath: /host/sys mountPropagation: HostToContainer @@ -59,7 +66,6 @@ spec: name: kube-rbac-proxy ports: - containerPort: 9100 - hostPort: 9100 name: https resources: limits: @@ -69,16 +75,22 @@ spec: cpu: 10m memory: 200Mi securityContext: - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 + runAsUser: 65534 + runAsGroup: 65534 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL hostNetwork: true hostPID: true nodeSelector: kubernetes.io/os: linux securityContext: + privileged: false + readOnlyRootFilesystem: true runAsNonRoot: true - runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: node-exporter tolerations: - operator: Exists