From 625d68e802c2877a7e50012bd3e8fdb1f86288db Mon Sep 17 00:00:00 2001 From: Matthias Wessendorf Date: Fri, 21 Oct 2022 14:35:14 +0200 Subject: [PATCH] Addressing PodSecurity violation warnings: (#2685) * :passport_control: Addressing PodSecurity violation warnings: * adding/updating securityContext, as needed, to allow running as 'restricted' standard. * adding seccompProfile PR references from knative/eventing repo: * https://github.com/knative/eventing/pull/5863 * https://github.com/knative/eventing/pull/6533 Signed-off-by: Matthias Wessendorf * revert zipkin changes Signed-off-by: Matthias Wessendorf * Update control-plane/config/post-install/500-storage-version-migrator.yaml Co-authored-by: Pierangelo Di Pilato Signed-off-by: Matthias Wessendorf Co-authored-by: Pierangelo Di Pilato --- .../200-controller/500-controller.yaml | 6 +++++- .../eventing-kafka-broker/200-webhook/500-webhook.yaml | 6 ++++++ .../200-controller/500-controller.yaml | 6 +++++- .../config/post-install/500-post-install-job.yaml | 9 +++++++++ .../post-install/500-storage-version-migrator.yaml | 9 +++++++++ data-plane/config/broker/500-dispatcher.yaml | 6 +++++- data-plane/config/broker/500-receiver.yaml | 6 +++++- data-plane/config/brokerv2/500-dispatcher.yaml | 6 +++++- data-plane/config/channel/500-dispatcher.yaml | 6 +++++- data-plane/config/channel/500-receiver.yaml | 6 +++++- data-plane/config/channelv2/500-dispatcher.yaml | 6 +++++- data-plane/config/sink/500-receiver.yaml | 6 +++++- data-plane/config/source/500-dispatcher.yaml | 6 +++++- test/config/cm-watcher-broker.yaml | 6 +++++- test/config/cm-watcher-channel.yaml | 6 +++++- test/config/cm-watcher-sink.yaml | 6 +++++- 16 files changed, 89 insertions(+), 13 deletions(-) diff --git a/control-plane/config/eventing-kafka-broker/200-controller/500-controller.yaml b/control-plane/config/eventing-kafka-broker/200-controller/500-controller.yaml index 261c0bb0c6..6a495b35ae 100644 --- a/control-plane/config/eventing-kafka-broker/200-controller/500-controller.yaml +++ b/control-plane/config/eventing-kafka-broker/200-controller/500-controller.yaml @@ -185,6 +185,10 @@ spec: terminationMessagePath: /dev/temination-log securityContext: allowPrivilegeEscalation: false - privileged: false readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault restartPolicy: Always diff --git a/control-plane/config/eventing-kafka-broker/200-webhook/500-webhook.yaml b/control-plane/config/eventing-kafka-broker/200-webhook/500-webhook.yaml index b7cc21b079..2c13477995 100644 --- a/control-plane/config/eventing-kafka-broker/200-webhook/500-webhook.yaml +++ b/control-plane/config/eventing-kafka-broker/200-webhook/500-webhook.yaml @@ -81,6 +81,12 @@ spec: securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault ports: - name: https-webhook diff --git a/control-plane/config/eventing-kafka-source/200-controller/500-controller.yaml b/control-plane/config/eventing-kafka-source/200-controller/500-controller.yaml index bcc2bff7d6..2a2977f65d 100644 --- a/control-plane/config/eventing-kafka-source/200-controller/500-controller.yaml +++ b/control-plane/config/eventing-kafka-source/200-controller/500-controller.yaml @@ -113,6 +113,10 @@ spec: terminationMessagePath: /dev/temination-log securityContext: allowPrivilegeEscalation: false - privileged: false readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault restartPolicy: Always diff --git a/control-plane/config/post-install/500-post-install-job.yaml b/control-plane/config/post-install/500-post-install-job.yaml index c5be8e2cbd..a368c9efa0 100644 --- a/control-plane/config/post-install/500-post-install-job.yaml +++ b/control-plane/config/post-install/500-post-install-job.yaml @@ -43,3 +43,12 @@ spec: fieldPath: metadata.namespace - name: CHANNEL_GENERAL_CONFIG_MAP_NAME value: kafka-channel-config + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault diff --git a/control-plane/config/post-install/500-storage-version-migrator.yaml b/control-plane/config/post-install/500-storage-version-migrator.yaml index 26a3b70e09..41e712546a 100644 --- a/control-plane/config/post-install/500-storage-version-migrator.yaml +++ b/control-plane/config/post-install/500-storage-version-migrator.yaml @@ -43,3 +43,12 @@ spec: - "kafkasources.sources.knative.dev" - "kafkachannels.messaging.knative.dev" - "kafkasinks.eventing.knative.dev" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault diff --git a/data-plane/config/broker/500-dispatcher.yaml b/data-plane/config/broker/500-dispatcher.yaml index 9a81e6a536..173d1141fc 100644 --- a/data-plane/config/broker/500-dispatcher.yaml +++ b/data-plane/config/broker/500-dispatcher.yaml @@ -141,8 +141,12 @@ spec: terminationMessagePath: /dev/temination-log securityContext: allowPrivilegeEscalation: false - privileged: false readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumes: - name: config-kafka-broker-data-plane configMap: diff --git a/data-plane/config/broker/500-receiver.yaml b/data-plane/config/broker/500-receiver.yaml index 859f90d20e..4ba55f5a9d 100644 --- a/data-plane/config/broker/500-receiver.yaml +++ b/data-plane/config/broker/500-receiver.yaml @@ -144,8 +144,12 @@ spec: terminationMessagePath: /dev/temination-log securityContext: allowPrivilegeEscalation: false - privileged: false readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumes: - name: kafka-broker-brokers-triggers configMap: diff --git a/data-plane/config/brokerv2/500-dispatcher.yaml b/data-plane/config/brokerv2/500-dispatcher.yaml index 89e0af6b4e..5f850fe8c2 100644 --- a/data-plane/config/brokerv2/500-dispatcher.yaml +++ b/data-plane/config/brokerv2/500-dispatcher.yaml @@ -149,8 +149,12 @@ spec: terminationMessagePath: /dev/temination-log securityContext: allowPrivilegeEscalation: false - privileged: false readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumes: - name: config-kafka-broker-data-plane configMap: diff --git a/data-plane/config/channel/500-dispatcher.yaml b/data-plane/config/channel/500-dispatcher.yaml index 024ac47619..e5825d297d 100644 --- a/data-plane/config/channel/500-dispatcher.yaml +++ b/data-plane/config/channel/500-dispatcher.yaml @@ -141,8 +141,12 @@ spec: terminationMessagePath: /dev/temination-log securityContext: allowPrivilegeEscalation: false - privileged: false readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumes: - name: config-kafka-channel-data-plane configMap: diff --git a/data-plane/config/channel/500-receiver.yaml b/data-plane/config/channel/500-receiver.yaml index 4f348c76dd..92699ad982 100644 --- a/data-plane/config/channel/500-receiver.yaml +++ b/data-plane/config/channel/500-receiver.yaml @@ -144,8 +144,12 @@ spec: terminationMessagePath: /dev/temination-log securityContext: allowPrivilegeEscalation: false - privileged: false readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumes: - name: kafka-channel-channels-subscriptions configMap: diff --git a/data-plane/config/channelv2/500-dispatcher.yaml b/data-plane/config/channelv2/500-dispatcher.yaml index 22e4966775..318d83159e 100644 --- a/data-plane/config/channelv2/500-dispatcher.yaml +++ b/data-plane/config/channelv2/500-dispatcher.yaml @@ -150,8 +150,12 @@ spec: terminationMessagePath: /dev/temination-log securityContext: allowPrivilegeEscalation: false - privileged: false readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumes: - name: config-kafka-channel-data-plane configMap: diff --git a/data-plane/config/sink/500-receiver.yaml b/data-plane/config/sink/500-receiver.yaml index 5412f3dc34..10c1cd7835 100644 --- a/data-plane/config/sink/500-receiver.yaml +++ b/data-plane/config/sink/500-receiver.yaml @@ -144,8 +144,12 @@ spec: terminationMessagePath: /dev/temination-log securityContext: allowPrivilegeEscalation: false - privileged: false readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumes: - name: kafka-sink-sinks configMap: diff --git a/data-plane/config/source/500-dispatcher.yaml b/data-plane/config/source/500-dispatcher.yaml index 1c104a8bd0..215ab722c1 100644 --- a/data-plane/config/source/500-dispatcher.yaml +++ b/data-plane/config/source/500-dispatcher.yaml @@ -150,8 +150,12 @@ spec: terminationMessagePath: /dev/temination-log securityContext: allowPrivilegeEscalation: false - privileged: false readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumes: - name: config-kafka-source-data-plane configMap: diff --git a/test/config/cm-watcher-broker.yaml b/test/config/cm-watcher-broker.yaml index 83a552f88a..6d0e7dc70e 100644 --- a/test/config/cm-watcher-broker.yaml +++ b/test/config/cm-watcher-broker.yaml @@ -73,8 +73,12 @@ spec: terminationMessagePath: /dev/temination-log securityContext: allowPrivilegeEscalation: false - privileged: false readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumes: - name: config-logging configMap: diff --git a/test/config/cm-watcher-channel.yaml b/test/config/cm-watcher-channel.yaml index fd48971a57..fc9c6693d6 100644 --- a/test/config/cm-watcher-channel.yaml +++ b/test/config/cm-watcher-channel.yaml @@ -73,8 +73,12 @@ spec: terminationMessagePath: /dev/temination-log securityContext: allowPrivilegeEscalation: false - privileged: false readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumes: - name: config-logging configMap: diff --git a/test/config/cm-watcher-sink.yaml b/test/config/cm-watcher-sink.yaml index 6d6250921e..39243edd9f 100644 --- a/test/config/cm-watcher-sink.yaml +++ b/test/config/cm-watcher-sink.yaml @@ -73,8 +73,12 @@ spec: terminationMessagePath: /dev/temination-log securityContext: allowPrivilegeEscalation: false - privileged: false readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault volumes: - name: config-logging configMap: