ansible/helm: add ssc to not allow root previleges

Signed-off-by: Camila Macedo <cmacedo@redhat.com>
operator-framework · Mar 15, 2021 · 5bec9e1 · 5bec9e1
1 parent c6796de
commit 5bec9e1
Show file tree

Hide file tree

Showing 7 changed files with 70 additions and 0 deletions.
diff --git a/changelog/fragments/ansible-helm-ssc.yaml b/changelog/fragments/ansible-helm-ssc.yaml
@@ -0,0 +1,46 @@
+# entries is a list of entries to include in
+# release notes and/or the migration guide
+entries:
+  - description: >
+      ansible/v1, helm/v1) Added `securityContext`'s to the manager's Deployment to disallow running as root user.
+
+    # kind is one of:
+    # - addition
+    # - change
+    # - deprecation
+    # - removal
+    # - bugfix
+    kind: "addition"
+
+    # Is this a breaking change?
+    breaking: false
+
+    # NOTE: ONLY USE `pull_request_override` WHEN ADDING THIS
+    # FILE FOR A PREVIOUSLY MERGED PULL_REQUEST!
+    #
+    # The generator auto-detects the PR number from the commit
+    # message in which this file was originally added.
+    #
+    # What is the pull request number (without the "#")?
+    # pull_request_override: 0
+
+
+    # Migration can be defined to automatically add a section to
+    # the migration guide. This is required for breaking changes.
+    migration:
+      header: (ansible/v1, helm/v1) Add `securityContext`'s to your manager's Deployment.
+      body: >
+        In `config/manager/manager.yaml`, add the following security contexts:
+        ```yaml
+        spec:
+          ...
+          template:
+            ...
+            spec:
+              securityContext:
+                runAsNonRoot: true
+              containers:
+              - name: manager
+                securityContext:
+                  allowPrivilegeEscalation: false
+        ```
diff --git a/internal/plugins/ansible/v1/scaffolds/internal/templates/config/manager/manager.go b/internal/plugins/ansible/v1/scaffolds/internal/templates/config/manager/manager.go
@@ -69,6 +69,8 @@ spec:
       labels:
         control-plane: controller-manager
     spec:
+      securityContext:
+        runAsNonRoot: true
       containers:
         - name: manager
           args:
@@ -78,6 +80,8 @@ spec:
             - name: ANSIBLE_GATHERING
               value: explicit
           image: {{ .Image }}
+          securityContext:
+            allowPrivilegeEscalation: false
           livenessProbe:
             httpGet:
               path: /healthz

diff --git a/internal/plugins/helm/v1/scaffolds/internal/templates/config/manager/manager.go b/internal/plugins/helm/v1/scaffolds/internal/templates/config/manager/manager.go
@@ -69,12 +69,16 @@ spec:
       labels:
         control-plane: controller-manager
     spec:
+      securityContext:
+        runAsNonRoot: true
       containers:
       - image: {{ .Image }}
         args:
         - "--enable-leader-election"
         - "--leader-election-id={{ .ProjectName }}"
         name: manager
+        securityContext:
+          allowPrivilegeEscalation: false
         livenessProbe:
           httpGet:
             path: /healthz

diff --git a/...ansible/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml b/...ansible/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml
@@ -138,6 +138,10 @@ spec:
                   initialDelaySeconds: 5
                   periodSeconds: 10
                 resources: {}
+                securityContext:
+                  allowPrivilegeEscalation: false
+              securityContext:
+                runAsNonRoot: true
               terminationGracePeriodSeconds: 10
       permissions:
       - rules:

diff --git a/testdata/ansible/memcached-operator/config/manager/manager.yaml b/testdata/ansible/memcached-operator/config/manager/manager.yaml
@@ -22,6 +22,8 @@ spec:
       labels:
         control-plane: controller-manager
     spec:
+      securityContext:
+        runAsNonRoot: true
       containers:
         - name: manager
           args:
@@ -31,6 +33,8 @@ spec:
             - name: ANSIBLE_GATHERING
               value: explicit
           image: controller:latest
+          securityContext:
+            allowPrivilegeEscalation: false
           livenessProbe:
             httpGet:
               path: /healthz

diff --git a/...ta/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml b/...ta/helm/memcached-operator/bundle/manifests/memcached-operator.clusterserviceversion.yaml
@@ -229,6 +229,10 @@ spec:
                   requests:
                     cpu: 100m
                     memory: 60Mi
+                securityContext:
+                  allowPrivilegeEscalation: false
+              securityContext:
+                runAsNonRoot: true
               terminationGracePeriodSeconds: 10
       permissions:
       - rules:

diff --git a/testdata/helm/memcached-operator/config/manager/manager.yaml b/testdata/helm/memcached-operator/config/manager/manager.yaml
@@ -22,12 +22,16 @@ spec:
       labels:
         control-plane: controller-manager
     spec:
+      securityContext:
+        runAsNonRoot: true
       containers:
       - image: controller:latest
         args:
         - "--enable-leader-election"
         - "--leader-election-id=memcached-operator"
         name: manager
+        securityContext:
+          allowPrivilegeEscalation: false
         livenessProbe:
           httpGet:
             path: /healthz