[ACM-11093]: apply security context for microshift (#1422)

* apply security restrictions Signed-off-by: Thibault Mange <[email protected]> * add privileged Signed-off-by: Thibault Mange <[email protected]> --------- Signed-off-by: Thibault Mange <[email protected]>
stolostron · May 15, 2024 · 501d88a · 501d88a
1 parent 0e178f8
commit 501d88a
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 12 deletions.
diff --git a/operators/endpointmetrics/manifests/prometheus/kube-state-metrics-deployment.yaml b/operators/endpointmetrics/manifests/prometheus/kube-state-metrics-deployment.yaml
@@ -36,7 +36,10 @@ spec:
             cpu: 10m
             memory: 190Mi
         securityContext:
-          runAsUser: 65534
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
       - args:
         - --logtostderr
         - --secure-listen-address=:8443
@@ -55,9 +58,10 @@ spec:
             cpu: 20m
             memory: 20Mi
         securityContext:
-          runAsGroup: 65532
-          runAsNonRoot: true
-          runAsUser: 65532
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
       - args:
         - --logtostderr
         - --secure-listen-address=:9443
@@ -76,9 +80,16 @@ spec:
             cpu: 10m
             memory: 20Mi
         securityContext:
-          runAsGroup: 65532
-          runAsNonRoot: true
-          runAsUser: 65532
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+      securityContext:
+        privileged: false
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: kube-state-metrics
diff --git a/operators/endpointmetrics/manifests/prometheus/node-exporter-clusterRole.yaml b/operators/endpointmetrics/manifests/prometheus/node-exporter-clusterRole.yaml
@@ -15,3 +15,12 @@ rules:
   - subjectaccessreviews
   verbs:
   - create
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - privileged
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
+
diff --git a/operators/endpointmetrics/manifests/prometheus/node-exporter-daemonset.yaml b/operators/endpointmetrics/manifests/prometheus/node-exporter-daemonset.yaml
@@ -36,6 +36,13 @@ spec:
           requests:
             cpu: 102m
             memory: 200Mi
+        securityContext:
+          runAsUser: 65534
+          runAsGroup: 65534
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         volumeMounts:
         - mountPath: /host/sys
           mountPropagation: HostToContainer
@@ -59,7 +66,6 @@ spec:
         name: kube-rbac-proxy
         ports:
         - containerPort: 9100
-          hostPort: 9100
           name: https
         resources:
           limits:
@@ -69,16 +75,22 @@ spec:
             cpu: 10m
             memory: 200Mi
         securityContext:
-          runAsGroup: 65532
-          runAsNonRoot: true
-          runAsUser: 65532
+          runAsUser: 65534
+          runAsGroup: 65534
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
       hostNetwork: true
       hostPID: true
       nodeSelector:
         kubernetes.io/os: linux
       securityContext:
+        privileged: false
+        readOnlyRootFilesystem: true
         runAsNonRoot: true
-        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: node-exporter
       tolerations:
       - operator: Exists