Merge pull request red-hat-storage#2545 from iamniting/root

bundle: add readOnlyRootFilesystem for ocs-operator
jarrpa · Apr 8, 2024 · 0a7b8c1 · 0a7b8c1
2 parents 4689ec0 + 1e28d79
commit 0a7b8c1
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 2 deletions.
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -45,7 +45,8 @@ spec:
           allowPrivilegeEscalation: false
           capabilities:
               drop:
-                - all
+              - all
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /etc/private-key
           name: onboarding-private-key

diff --git a/controllers/storagecluster/exporter.go b/controllers/storagecluster/exporter.go
@@ -333,7 +333,8 @@ func deployMetricsExporter(ctx context.Context, r *StorageClusterReconciler, ins
 							{ContainerPort: 8081},
 						},
 						SecurityContext: &corev1.SecurityContext{
-							RunAsNonRoot: ptr.To(true),
+							RunAsNonRoot:           ptr.To(true),
+							ReadOnlyRootFilesystem: ptr.To(true),
 						},
 						VolumeMounts: []corev1.VolumeMount{{
 							Name:      "ceph-config",

diff --git a/controllers/storagecluster/provider_server.go b/controllers/storagecluster/provider_server.go
@@ -370,6 +370,10 @@ func GetProviderAPIServerDeployment(instance *ocsv1.StorageCluster) *appsv1.Depl
 									ContainerPort: ocsProviderServicePort,
 								},
 							},
+							SecurityContext: &corev1.SecurityContext{
+								RunAsNonRoot:           ptr.To(true),
+								ReadOnlyRootFilesystem: ptr.To(true),
+							},
 							VolumeMounts: []corev1.VolumeMount{
 								{
 									Name:      "cert-secret",

diff --git a/controllers/storagecluster/provider_server_test.go b/controllers/storagecluster/provider_server_test.go
@@ -12,6 +12,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/tools/record"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -396,6 +397,10 @@ func GetProviderAPIServerDeploymentForTest(instance *ocsv1.StorageCluster) *apps
 									ContainerPort: ocsProviderServicePort,
 								},
 							},
+							SecurityContext: &corev1.SecurityContext{
+								RunAsNonRoot:           ptr.To(true),
+								ReadOnlyRootFilesystem: ptr.To(true),
+							},
 							VolumeMounts: []corev1.VolumeMount{
 								{
 									Name:      "cert-secret",

diff --git a/deploy/csv-templates/ocs-operator.csv.yaml.in b/deploy/csv-templates/ocs-operator.csv.yaml.in
@@ -599,6 +599,7 @@ spec:
                   capabilities:
                     drop:
                     - all
+                  readOnlyRootFilesystem: true
                 volumeMounts:
                 - mountPath: /etc/private-key
                   name: onboarding-private-key

diff --git a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml
@@ -638,6 +638,7 @@ spec:
                   capabilities:
                     drop:
                     - all
+                  readOnlyRootFilesystem: true
                 volumeMounts:
                 - mountPath: /etc/private-key
                   name: onboarding-private-key
@@ -689,6 +690,9 @@ spec:
                 ports:
                 - containerPort: 8080
                 resources: {}
+                securityContext:
+                  readOnlyRootFilesystem: true
+                  runAsNonRoot: true
                 volumeMounts:
                 - mountPath: /etc/private-key
                   name: onboarding-private-key
@@ -712,6 +716,9 @@ spec:
                 ports:
                 - containerPort: 8888
                 resources: {}
+                securityContext:
+                  readOnlyRootFilesystem: true
+                  runAsNonRoot: true
                 volumeMounts:
                 - mountPath: /etc/proxy/secrets
                   name: ux-proxy-secret

diff --git a/tools/csv-merger/csv-merger.go b/tools/csv-merger/csv-merger.go
@@ -672,6 +672,10 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec {
 								},
 							},
 						},
+						SecurityContext: &corev1.SecurityContext{
+							RunAsNonRoot:           ptr.To(true),
+							ReadOnlyRootFilesystem: ptr.To(true),
+						},
 					},
 					{
 						Name: "oauth-proxy",
@@ -702,6 +706,10 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec {
 								ContainerPort: 8888,
 							},
 						},
+						SecurityContext: &corev1.SecurityContext{
+							RunAsNonRoot:           ptr.To(true),
+							ReadOnlyRootFilesystem: ptr.To(true),
+						},
 					},
 				},
 				Volumes: []corev1.Volume{