Addressing PodSecurity violation warnings: (#2685)

* 🛂 Addressing PodSecurity violation warnings: * adding/updating securityContext, as needed, to allow running as 'restricted' standard. * adding seccompProfile PR references from knative/eventing repo: * knative/eventing#5863 * knative/eventing#6533 Signed-off-by: Matthias Wessendorf <mwessend@redhat.com> * revert zipkin changes Signed-off-by: Matthias Wessendorf <mwessend@redhat.com> * Update control-plane/config/post-install/500-storage-version-migrator.yaml Co-authored-by: Pierangelo Di Pilato <pierangelodipilato@gmail.com> Signed-off-by: Matthias Wessendorf <mwessend@redhat.com> Co-authored-by: Pierangelo Di Pilato <pierangelodipilato@gmail.com>
knative-extensions · Oct 21, 2022 · 625d68e · 625d68e
1 parent 85db1f9
commit 625d68e
Show file tree

Hide file tree

Showing 16 changed files with 89 additions and 13 deletions.
diff --git a/control-plane/config/eventing-kafka-broker/200-controller/500-controller.yaml b/control-plane/config/eventing-kafka-broker/200-controller/500-controller.yaml
@@ -185,6 +185,10 @@ spec:
           terminationMessagePath: /dev/temination-log
           securityContext:
             allowPrivilegeEscalation: false
-            privileged: false
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
       restartPolicy: Always
diff --git a/control-plane/config/eventing-kafka-broker/200-webhook/500-webhook.yaml b/control-plane/config/eventing-kafka-broker/200-webhook/500-webhook.yaml
@@ -81,6 +81,12 @@ spec:
 
           securityContext:
             allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
 
           ports:
             - name: https-webhook

diff --git a/control-plane/config/eventing-kafka-source/200-controller/500-controller.yaml b/control-plane/config/eventing-kafka-source/200-controller/500-controller.yaml
@@ -113,6 +113,10 @@ spec:
           terminationMessagePath: /dev/temination-log
           securityContext:
             allowPrivilegeEscalation: false
-            privileged: false
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
       restartPolicy: Always
diff --git a/control-plane/config/post-install/500-post-install-job.yaml b/control-plane/config/post-install/500-post-install-job.yaml
@@ -43,3 +43,12 @@ spec:
                   fieldPath: metadata.namespace
             - name: CHANNEL_GENERAL_CONFIG_MAP_NAME
               value: kafka-channel-config
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
diff --git a/control-plane/config/post-install/500-storage-version-migrator.yaml b/control-plane/config/post-install/500-storage-version-migrator.yaml
@@ -43,3 +43,12 @@ spec:
             - "kafkasources.sources.knative.dev"
             - "kafkachannels.messaging.knative.dev"
             - "kafkasinks.eventing.knative.dev"
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
diff --git a/data-plane/config/broker/500-dispatcher.yaml b/data-plane/config/broker/500-dispatcher.yaml
@@ -141,8 +141,12 @@ spec:
           terminationMessagePath: /dev/temination-log
           securityContext:
             allowPrivilegeEscalation: false
-            privileged: false
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
       volumes:
         - name: config-kafka-broker-data-plane
           configMap:

diff --git a/data-plane/config/broker/500-receiver.yaml b/data-plane/config/broker/500-receiver.yaml
@@ -144,8 +144,12 @@ spec:
           terminationMessagePath: /dev/temination-log
           securityContext:
             allowPrivilegeEscalation: false
-            privileged: false
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
       volumes:
         - name: kafka-broker-brokers-triggers
           configMap:

diff --git a/data-plane/config/brokerv2/500-dispatcher.yaml b/data-plane/config/brokerv2/500-dispatcher.yaml
@@ -149,8 +149,12 @@ spec:
           terminationMessagePath: /dev/temination-log
           securityContext:
             allowPrivilegeEscalation: false
-            privileged: false
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
       volumes:
         - name: config-kafka-broker-data-plane
           configMap:

diff --git a/data-plane/config/channel/500-dispatcher.yaml b/data-plane/config/channel/500-dispatcher.yaml
@@ -141,8 +141,12 @@ spec:
           terminationMessagePath: /dev/temination-log
           securityContext:
             allowPrivilegeEscalation: false
-            privileged: false
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
       volumes:
         - name: config-kafka-channel-data-plane
           configMap:

diff --git a/data-plane/config/channel/500-receiver.yaml b/data-plane/config/channel/500-receiver.yaml
@@ -144,8 +144,12 @@ spec:
           terminationMessagePath: /dev/temination-log
           securityContext:
             allowPrivilegeEscalation: false
-            privileged: false
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
       volumes:
         - name: kafka-channel-channels-subscriptions
           configMap:

diff --git a/data-plane/config/channelv2/500-dispatcher.yaml b/data-plane/config/channelv2/500-dispatcher.yaml
@@ -150,8 +150,12 @@ spec:
           terminationMessagePath: /dev/temination-log
           securityContext:
             allowPrivilegeEscalation: false
-            privileged: false
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
       volumes:
         - name: config-kafka-channel-data-plane
           configMap:

diff --git a/data-plane/config/sink/500-receiver.yaml b/data-plane/config/sink/500-receiver.yaml
@@ -144,8 +144,12 @@ spec:
           terminationMessagePath: /dev/temination-log
           securityContext:
             allowPrivilegeEscalation: false
-            privileged: false
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
       volumes:
         - name: kafka-sink-sinks
           configMap:

diff --git a/data-plane/config/source/500-dispatcher.yaml b/data-plane/config/source/500-dispatcher.yaml
@@ -150,8 +150,12 @@ spec:
           terminationMessagePath: /dev/temination-log
           securityContext:
             allowPrivilegeEscalation: false
-            privileged: false
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
       volumes:
         - name: config-kafka-source-data-plane
           configMap:

diff --git a/test/config/cm-watcher-broker.yaml b/test/config/cm-watcher-broker.yaml
@@ -73,8 +73,12 @@ spec:
           terminationMessagePath: /dev/temination-log
           securityContext:
             allowPrivilegeEscalation: false
-            privileged: false
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
       volumes:
         - name: config-logging
           configMap:

diff --git a/test/config/cm-watcher-channel.yaml b/test/config/cm-watcher-channel.yaml
@@ -73,8 +73,12 @@ spec:
           terminationMessagePath: /dev/temination-log
           securityContext:
             allowPrivilegeEscalation: false
-            privileged: false
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
       volumes:
         - name: config-logging
           configMap:

diff --git a/test/config/cm-watcher-sink.yaml b/test/config/cm-watcher-sink.yaml
@@ -73,8 +73,12 @@ spec:
           terminationMessagePath: /dev/temination-log
           securityContext:
             allowPrivilegeEscalation: false
-            privileged: false
             readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
+            seccompProfile:
+              type: RuntimeDefault
       volumes:
         - name: config-logging
           configMap: