Set security context of workloads

operators/endpointmetrics/config/manager/manager.yaml

@@ -51,6 +51,9 @@ spec:
         - mountPath: /spoke/hub-kubeconfig
           name: hub-kubeconfig-secret
           readOnly: true
+        securityContext:
+          privileged: false
+          readOnlyRootFilesystem: true
       volumes:
       - name: hub-kubeconfig-secret
         secret:

operators/endpointmetrics/controllers/observabilityendpoint/metrics_collector.go

@@ -314,6 +314,14 @@ func createDeployment(params CollectorParams) *appsv1.Deployment {
 			})
 	}
 
+	privileged := false
+	readOnlyRootFilesystem := true
+
+	metricsCollectorDep.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
+		Privileged:             &privileged,
+		ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
+	}
+
 	if params.obsAddonSpec.Resources != nil {
 		metricsCollectorDep.Spec.Template.Spec.Containers[0].Resources = *params.obsAddonSpec.Resources
 	}

operators/multiclusterobservability/bundle/manifests/multicluster-observability-operator.clusterserviceversion.yaml

@@ -526,6 +526,8 @@ spec:
                     memory: 128Mi
                 securityContext:
                   allowPrivilegeEscalation: false
+                  privileged: false
+                  readOnlyRootFilesystem: true
                 volumeMounts:
                 - mountPath: /tmp/k8s-webhook-server/serving-certs
                   name: cert

operators/multiclusterobservability/config/manager/manager.yaml

@@ -34,6 +34,8 @@ spec:
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: true
         ports:
         - containerPort: 9443
           name: webhook-server

operators/multiclusterobservability/manifests/base/alertmanager/alertmanager-statefulset.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: StatefulSet
 metadata:
   name: alertmanager
-  namespace: open-cluster-management-observability 
+  namespace: open-cluster-management-observability
   labels:
     app: multicluster-observability-alertmanager
     alertmanager: observability
@@ -22,144 +22,153 @@ spec:
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 70
-            podAffinityTerm:
-              topologyKey: topology.kubernetes.io/zone
-              labelSelector:
-                matchExpressions:
-                - key: app
-                  operator: In
-                  values:
-                  - multicluster-observability-alertmanager
-          - weight: 30
-            podAffinityTerm:
-              topologyKey: kubernetes.io/hostname
-              labelSelector:
-                matchExpressions:
-                - key: app
-                  operator: In
-                  values:
-                  - multicluster-observability-alertmanager
+            - weight: 70
+              podAffinityTerm:
+                topologyKey: topology.kubernetes.io/zone
+                labelSelector:
+                  matchExpressions:
+                    - key: app
+                      operator: In
+                      values:
+                        - multicluster-observability-alertmanager
+            - weight: 30
+              podAffinityTerm:
+                topologyKey: kubernetes.io/hostname
+                labelSelector:
+                  matchExpressions:
+                    - key: app
+                      operator: In
+                      values:
+                        - multicluster-observability-alertmanager
       containers:
-      - args:
-        - --config.file=/etc/alertmanager/config/alertmanager.yaml
-        - --cluster.listen-address=[$(POD_IP)]:9094
-        - --storage.path=/alertmanager
-        - --data.retention=120h
-        - --web.listen-address=127.0.0.1:9093
-        - --web.route-prefix=/
-        env:
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: status.podIP
-        image: quay.io/stolostron/prometheus-alertmanager:2.3.0-SNAPSHOT-2021-07-26-18-43-26
-        imagePullPolicy: IfNotPresent
-        name: alertmanager
-        ports:
-        - containerPort: 9094
-          name: mesh-tcp
-          protocol: TCP
-        - containerPort: 9093
-          name: web
-          protocol: TCP
-        - containerPort: 9094
-          name: mesh-udp
-          protocol: UDP
-        resources:
-          requests:
-            cpu: 4m
-            memory: 200Mi
-        volumeMounts:
-        - mountPath: /etc/alertmanager/config
-          name: config-volume
-        - mountPath: /alertmanager
-          name: alertmanager-db
-      - args:
-        - -webhook-url=http://localhost:9093/-/reload
-        - -volume-dir=/etc/alertmanager/config
-        - -volume-dir=/etc/tls/private
-        image: quay.io/openshift/origin-configmap-reloader:4.8.0
-        imagePullPolicy: IfNotPresent
-        name: config-reloader
-        resources:
-          requests:
-            cpu: 4m
-            memory: 25Mi
-        volumeMounts:
-        - mountPath: /etc/alertmanager/config
-          name: config-volume
-          readOnly: true
-        - mountPath: /etc/tls/private
-          name: tls-secret
-          readOnly: true
-      - args:
-        - --provider=openshift
-        - --https-address=:9095
-        - --http-address=
-        - --upstream=http://localhost:9093
-        - --openshift-sar={"resource":"namespaces","verb":"get"}
-        - --openshift-delegate-urls={"/":{"resource":"namespaces","verb":"get"}}
-        - --tls-cert=/etc/tls/private/tls.crt
-        - --tls-key=/etc/tls/private/tls.key
-        # - --email-domain=*
-        # - --scope=user:full
-        # - --client-id=alertmanager
-        # - --client-secret=alertmanagersecret
-        - --openshift-service-account=alertmanager
-        - --cookie-secret-file=/etc/proxy/secrets/session_secret
-        - --skip-provider-button=true
-        - --openshift-ca=/etc/pki/tls/cert.pem
-        - --openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-        image: quay.io/stolostron/origin-oauth-proxy:4.5
-        imagePullPolicy: IfNotPresent
-        name: alertmanager-proxy
-        ports:
-        - containerPort: 9095
-          name: oauth-proxy
-          protocol: TCP
-        resources:
-          requests:
-            cpu: 1m
-            memory: 20Mi
-        readinessProbe:
-          failureThreshold: 3
-          httpGet:
-            path: /oauth/healthz
-            port: 9095
-            scheme: HTTPS
-          periodSeconds: 10
-          successThreshold: 1
-          timeoutSeconds: 1
-        volumeMounts:
-        - mountPath: /etc/tls/private
-          name: tls-secret
-          readOnly: true
-        - mountPath: /etc/proxy/secrets
+        - args:
+            - --config.file=/etc/alertmanager/config/alertmanager.yaml
+            - --cluster.listen-address=[$(POD_IP)]:9094
+            - --storage.path=/alertmanager
+            - --data.retention=120h
+            - --web.listen-address=127.0.0.1:9093
+            - --web.route-prefix=/
+          env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.podIP
+          image: quay.io/stolostron/prometheus-alertmanager:2.3.0-SNAPSHOT-2021-07-26-18-43-26
+          imagePullPolicy: IfNotPresent
+          name: alertmanager
+          ports:
+            - containerPort: 9094
+              name: mesh-tcp
+              protocol: TCP
+            - containerPort: 9093
+              name: web
+              protocol: TCP
+            - containerPort: 9094
+              name: mesh-udp
+              protocol: UDP
+          resources:
+            requests:
+              cpu: 4m
+              memory: 200Mi
+          volumeMounts:
+            - mountPath: /etc/alertmanager/config
+              name: config-volume
+            - mountPath: /alertmanager
+              name: alertmanager-db
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
+        - args:
+            - -webhook-url=http://localhost:9093/-/reload
+            - -volume-dir=/etc/alertmanager/config
+            - -volume-dir=/etc/tls/private
+          image: quay.io/openshift/origin-configmap-reloader:4.8.0
+          imagePullPolicy: IfNotPresent
+          name: config-reloader
+          resources:
+            requests:
+              cpu: 4m
+              memory: 25Mi
+          volumeMounts:
+            - mountPath: /etc/alertmanager/config
+              name: config-volume
+              readOnly: true
+            - mountPath: /etc/tls/private
+              name: tls-secret
+              readOnly: true
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
+        - args:
+            - --provider=openshift
+            - --https-address=:9095
+            - --http-address=
+            - --upstream=http://localhost:9093
+            - --openshift-sar={"resource":"namespaces","verb":"get"}
+            - --openshift-delegate-urls={"/":{"resource":"namespaces","verb":"get"}}
+            - --tls-cert=/etc/tls/private/tls.crt
+            - --tls-key=/etc/tls/private/tls.key
+            # - --email-domain=*
+            # - --scope=user:full
+            # - --client-id=alertmanager
+            # - --client-secret=alertmanagersecret
+            - --openshift-service-account=alertmanager
+            - --cookie-secret-file=/etc/proxy/secrets/session_secret
+            - --skip-provider-button=true
+            - --openshift-ca=/etc/pki/tls/cert.pem
+            - --openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+          image: quay.io/stolostron/origin-oauth-proxy:4.5
+          imagePullPolicy: IfNotPresent
           name: alertmanager-proxy
+          ports:
+            - containerPort: 9095
+              name: oauth-proxy
+              protocol: TCP
+          resources:
+            requests:
+              cpu: 1m
+              memory: 20Mi
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /oauth/healthz
+              port: 9095
+              scheme: HTTPS
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          volumeMounts:
+            - mountPath: /etc/tls/private
+              name: tls-secret
+              readOnly: true
+            - mountPath: /etc/proxy/secrets
+              name: alertmanager-proxy
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
       serviceAccount: alertmanager
       serviceAccountName: alertmanager
       volumes:
-      - name: config-volume
-        secret:
-          defaultMode: 420
-          secretName: alertmanager-config
-      - name: alertmanager-proxy
-        secret:
-          defaultMode: 420
-          secretName: alertmanager-proxy
-      - name: tls-secret
-        secret:
-          defaultMode: 420
-          secretName: alertmanager-tls
+        - name: config-volume
+          secret:
+            defaultMode: 420
+            secretName: alertmanager-config
+        - name: alertmanager-proxy
+          secret:
+            defaultMode: 420
+            secretName: alertmanager-proxy
+        - name: tls-secret
+          secret:
+            defaultMode: 420
+            secretName: alertmanager-tls
   volumeClaimTemplates:
-  - metadata:
-      name: alertmanager-db
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 10Gi
-      storageClassName: "gp2"
+    - metadata:
+        name: alertmanager-db
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 10Gi
+        storageClassName: "gp2"