Set security context of workloads

This commit sets the following security context of all workloads directly handled by the operator: ``` securityContext: privileged: false readOnlyRootFilesystem: true ``` this as required by: RHOBS-1001 Signed-off-by: Jacob Baungard Hansen <[email protected]>
stolostron · Feb 13, 2024 · e372071 · e372071
1 parent 02da6b2
commit e372071
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 0 deletions.
diff --git a/operators/endpointmetrics/config/manager/manager.yaml b/operators/endpointmetrics/config/manager/manager.yaml
@@ -51,6 +51,9 @@ spec:
         - mountPath: /spoke/hub-kubeconfig
           name: hub-kubeconfig-secret
           readOnly: true
+        securityContext:
+          privileged: false
+          readOnlyRootFilesystem: true
       volumes:
       - name: hub-kubeconfig-secret
         secret:

diff --git a/operators/multiclusterobservability/config/manager/manager.yaml b/operators/multiclusterobservability/config/manager/manager.yaml
@@ -34,6 +34,8 @@ spec:
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyFilesystem: true
         ports:
         - containerPort: 9443
           name: webhook-server

diff --git a/...ators/multiclusterobservability/manifests/base/alertmanager/alertmanager-statefulset.yaml b/...ators/multiclusterobservability/manifests/base/alertmanager/alertmanager-statefulset.yaml
@@ -76,6 +76,9 @@ spec:
               name: config-volume
             - mountPath: /alertmanager
               name: alertmanager-db
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: false
         - args:
             - -webhook-url=http://localhost:9093/-/reload
             - -volume-dir=/etc/alertmanager/config
@@ -94,6 +97,9 @@ spec:
             - mountPath: /etc/tls/private
               name: tls-secret
               readOnly: true
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: false
         - args:
             - --provider=openshift
             - --https-address=:9095
@@ -138,6 +144,9 @@ spec:
               readOnly: true
             - mountPath: /etc/proxy/secrets
               name: alertmanager-proxy
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: false
       serviceAccount: alertmanager
       serviceAccountName: alertmanager
       volumes:

diff --git a/operators/multiclusterobservability/manifests/base/grafana/deployment.yaml b/operators/multiclusterobservability/manifests/base/grafana/deployment.yaml
@@ -63,6 +63,9 @@ spec:
               name: grafana-datasources
             - mountPath: /etc/grafana
               name: grafana-config
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
         - name: grafana-dashboard-loader
           env:
             - name: POD_NAMESPACE
@@ -75,6 +78,9 @@ spec:
             requests:
               cpu: 4m
               memory: 50Mi
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
         - readinessProbe:
             httpGet:
               path: /oauth/healthz
@@ -114,6 +120,9 @@ spec:
             - '--scope=user:full'
             - '--openshift-ca=/etc/pki/tls/cert.pem'
             - '--openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
       serviceAccount: grafana
       imagePullSecrets:
         - name: multiclusterhub-operator-pull-secret

diff --git a/operators/multiclusterobservability/manifests/base/observatorium/operator.yaml b/operators/multiclusterobservability/manifests/base/observatorium/operator.yaml
@@ -54,6 +54,9 @@ spec:
             requests:
               cpu: 10m
               memory: 50Mi
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
       imagePullSecrets:
         - name: "{{MULTICLUSTEROBSERVABILITY_IMAGE_PULL_SECRET}}"
       serviceAccountName: observatorium
diff --git a/operators/multiclusterobservability/manifests/base/proxy/deployment.yaml b/operators/multiclusterobservability/manifests/base/proxy/deployment.yaml
@@ -70,6 +70,9 @@ spec:
             requests:
               cpu: 20m
               memory: 100Mi
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
         - args:
             - --provider=openshift
             - --https-address=:8443
@@ -114,6 +117,9 @@ spec:
               readOnly: true
             - mountPath: /etc/proxy/secrets
               name: cookie-secret
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
       serviceAccountName: rbac-query-proxy
       imagePullSecrets:
         - name: multiclusterhub-operator-pull-secret