From 6148ebe38dca8e885dd776a0b5b001292a27be02 Mon Sep 17 00:00:00 2001 From: Scott Trent Date: Mon, 30 Sep 2024 14:11:54 +0900 Subject: [PATCH] boost default pod security Signed-off-by: Scott Trent --- .../manifests/susql-operator.clusterserviceversion.yaml | 9 ++------- config/default/manager_auth_proxy_patch.yaml | 2 -- config/default/manager_config_patch.yaml | 3 +-- config/manager/manager.yaml | 5 +---- deployment/susql-controller/templates/deployment.yaml | 3 +-- 5 files changed, 5 insertions(+), 17 deletions(-) diff --git a/bundle/manifests/susql-operator.clusterserviceversion.yaml b/bundle/manifests/susql-operator.clusterserviceversion.yaml index 0bba6d3..72b5482 100644 --- a/bundle/manifests/susql-operator.clusterserviceversion.yaml +++ b/bundle/manifests/susql-operator.clusterserviceversion.yaml @@ -28,7 +28,7 @@ metadata: capabilities: Basic Install categories: Monitoring containerImage: quay.io/sustainable_computing_io/susql_operator:0.0.32 - createdAt: "2024-09-30T02:37:03Z" + createdAt: "2024-09-30T05:10:03Z" description: 'Aggregates energy and CO2 emission data for pods tagged with SusQL labels ' features.operators.openshift.io/disconnected: "false" @@ -212,9 +212,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 14001 runAsNonRoot: true - runAsUser: 14001 - command: - /manager env: @@ -339,12 +337,9 @@ spec: capabilities: drop: - ALL - runAsGroup: 12001 - runAsUser: 12001 + readOnlyRootFilesystem: true securityContext: - runAsGroup: 11001 runAsNonRoot: true - runAsUser: 11001 serviceAccountName: susql-operator-susql-controller-manager terminationGracePeriodSeconds: 10 permissions: diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index 3b1abf2..73f91cc 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -14,8 +14,6 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true - runAsUser: 14001 - runAsGroup: 14001 capabilities: drop: - "ALL" diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml index 550ee39..bd993a2 100644 --- a/config/default/manager_config_patch.yaml +++ b/config/default/manager_config_patch.yaml @@ -10,9 +10,8 @@ spec: - name: manager imagePullPolicy: Always securityContext: - runAsUser: 11001 - runAsGroup: 11001 allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 67a81de..c3c2fc2 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -57,8 +57,6 @@ spec: # - linux securityContext: runAsNonRoot: true - runAsUser: 11001 - runAsGroup: 11001 # TODO(user): For common cases that do not require escalating privileges # it is recommended to ensure that all your Pods/Containers are restrictive. # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted @@ -165,9 +163,8 @@ spec: imagePullPolicy: Always name: manager securityContext: - runAsUser: 12001 - runAsGroup: 12001 allowPrivilegeEscalation: false + readOnlyRootFilesystem : true capabilities: drop: - "ALL" diff --git a/deployment/susql-controller/templates/deployment.yaml b/deployment/susql-controller/templates/deployment.yaml index 037dd4b..f45dd34 100644 --- a/deployment/susql-controller/templates/deployment.yaml +++ b/deployment/susql-controller/templates/deployment.yaml @@ -24,9 +24,8 @@ spec: image: {{ required "Please specify a 'containerImage' in the user file" .Values.containerImage }} imagePullPolicy: {{ .Values.imagePullPolicy | default "Always" }} securityContext: - runAsUser: 10001 - runAsGroup: 10001 allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsNonRoot: true capabilities: drop: