fix: set seccomp profiles and grant SAs necessary premissions to run

When running in namespace with Pod Security Standard profile "restricted" we need to set RunAsNonRoot and SeccompProfile to all workloads running on that namespace. Futhermore on OpenShift to run with a SeccompProfile set we need to grant service accounts premisisons to use the SCC nonroot-v2 #149
rhobs · Jun 3, 2022 · 18487a8 · 18487a8
1 parent 390a4aa
commit 18487a8
Show file tree

Hide file tree

Showing 6 changed files with 88 additions and 1 deletion.
diff --git a/deploy/dependencies/kustomization.yaml b/deploy/dependencies/kustomization.yaml
@@ -40,6 +40,10 @@ patches:
                     cpu: 5m
                     memory: 150Mi
                 terminationMessagePolicy: FallbackToLogsOnError
+            securityContext:
+              runAsNonRoot: true
+              seccompProfile:
+                type: RuntimeDefault
   - patch: |-
       - op: remove
         path: /spec/template/spec/nodeSelector
@@ -48,3 +52,20 @@ patches:
       version: v1
       kind: Deployment
 
+  - patch: |-
+      - op: add
+        path: /rules/-
+        value:
+          apiGroups:
+            - security.openshift.io
+          resourceNames:
+            - nonroot-v2
+          resources:
+            - securitycontextconstraints
+          verbs:
+            - use
+    target:
+      group: rbac.authorization.k8s.io
+      version: v1
+      kind: ClusterRole
+      name: prometheus-operator
diff --git a/deploy/operator/observability-operator-cluster-role.yaml b/deploy/operator/observability-operator-cluster-role.yaml
@@ -158,3 +158,11 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - nonroot-v2
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
diff --git a/deploy/operator/observability-operator-deployment.yaml b/deploy/operator/observability-operator-deployment.yaml
@@ -22,6 +22,8 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: operator
           image: observability-operator:0.0.1
@@ -35,6 +37,9 @@ spec:
                 fieldPath: metadata.namespace
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
           resources:
             limits:
               cpu: 200m

diff --git a/pkg/controllers/monitoring/monitoring-stack/alertmanager.go b/pkg/controllers/monitoring/monitoring-stack/alertmanager.go
@@ -3,6 +3,8 @@ package monitoringstack
 import (
 	stack "github.com/rhobs/observability-operator/pkg/apis/monitoring/v1alpha1"
 	policyv1 "k8s.io/api/policy/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/utils/pointer"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -65,6 +67,14 @@ func newAlertmanager(
 					},
 				},
 			},
+			SecurityContext: &corev1.PodSecurityContext{
+				FSGroup:      pointer.Int64(AlertmanagerUserFSGroupID),
+				RunAsNonRoot: pointer.Bool(true),
+				RunAsUser:    pointer.Int64(AlertmanagerUserFSGroupID),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+			},
 		},
 	}
 }
@@ -119,3 +129,24 @@ func newAlertmanagerPDB(ms *stack.MonitoringStack, instanceSelectorKey string, i
 		},
 	}
 }
+
+func newAlertManagerRole(ms *stack.MonitoringStack, rbacResourceName string, rbacVerbs []string) *rbacv1.Role {
+	return &rbacv1.Role{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: rbacv1.SchemeGroupVersion.String(),
+			Kind:       "Role",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      rbacResourceName,
+			Namespace: ms.Namespace,
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups:     []string{"security.openshift.io"},
+				Resources:     []string{"securitycontextconstraints"},
+				ResourceNames: []string{"nonroot-v2"},
+				Verbs:         []string{"use"},
+			},
+		},
+	}
+}
diff --git a/pkg/controllers/monitoring/monitoring-stack/components.go b/pkg/controllers/monitoring/monitoring-stack/components.go
@@ -7,6 +7,7 @@ import (
 	stack "github.com/rhobs/observability-operator/pkg/apis/monitoring/v1alpha1"
 
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/pointer"
 
 	monv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	policyv1 "k8s.io/api/policy/v1"
@@ -20,6 +21,8 @@ import (
 )
 
 const AdditionalScrapeConfigsSelfScrapeKey = "self-scrape-config"
+const PrometheusUserFSGroupID = 65534
+const AlertmanagerUserFSGroupID = 65535
 
 type reconcileFunction func(ctx context.Context, c client.Client, scheme *runtime.Scheme) error
 
@@ -49,6 +52,8 @@ func stackComponentReconcilers(ms *stack.MonitoringStack, instanceSelectorKey st
 		defaultReconciler(newRoleBinding(ms, prometheusRBACResourceName), ms),
 		defaultReconciler(newAdditionalScrapeConfigsSecret(ms, additionalScrapeConfigsSecretName), ms),
 		defaultReconciler(newServiceAccount(alertmanagerRBACResourceName, ms.Namespace), ms),
+		defaultReconciler(newAlertManagerRole(ms, alertmanagerRBACResourceName, rbacVerbs), ms),
+		defaultReconciler(newRoleBinding(ms, alertmanagerRBACResourceName), ms),
 		defaultReconciler(newAlertmanager(ms, alertmanagerRBACResourceName, instanceSelectorKey, instanceSelectorValue), ms),
 		defaultReconciler(newAlertmanagerService(ms, instanceSelectorKey, instanceSelectorValue), ms),
 		defaultReconciler(newAlertmanagerPDB(ms, instanceSelectorKey, instanceSelectorValue), ms),
@@ -80,6 +85,12 @@ func newPrometheusRole(ms *stack.MonitoringStack, rbacResourceName string, rbacV
 				Resources: []string{"ingresses"},
 				Verbs:     rbacVerbs,
 			},
+			{
+				APIGroups:     []string{"security.openshift.io"},
+				Resources:     []string{"securitycontextconstraints"},
+				ResourceNames: []string{"nonroot-v2"},
+				Verbs:         []string{"use"},
+			},
 		},
 	}
 }
@@ -163,7 +174,15 @@ func newPrometheus(
 					},
 					Key: AdditionalScrapeConfigsSelfScrapeKey,
 				},
-				Storage:        storageForPVC(config.PersistentVolumeClaim),
+				Storage: storageForPVC(config.PersistentVolumeClaim),
+				SecurityContext: &corev1.PodSecurityContext{
+					FSGroup:      pointer.Int64(PrometheusUserFSGroupID),
+					RunAsNonRoot: pointer.Bool(true),
+					RunAsUser:    pointer.Int64(PrometheusUserFSGroupID),
+					SeccompProfile: &corev1.SeccompProfile{
+						Type: corev1.SeccompProfileTypeRuntimeDefault,
+					},
+				},
 				RemoteWrite:    config.RemoteWrite,
 				ExternalLabels: config.ExternalLabels,
 			},

diff --git a/pkg/controllers/monitoring/monitoring-stack/controller.go b/pkg/controllers/monitoring/monitoring-stack/controller.go
@@ -70,6 +70,9 @@ type Options struct {
 //+kubebuilder:rbac:groups="",resources=pods;services;endpoints,verbs=get;list;watch
 //+kubebuilder:rbac:groups=extensions;networking.k8s.io,resources=ingresses,verbs=get;list;watch
 
+// RBAC for delegating the use of SCC nonroot-v2 needed for OpenShift
+//+kubebuilder:rbac:groups="security.openshift.io",resources=securitycontextconstraints,resourceNames=nonroot-v2,verbs=use
+
 // RegisterWithManager registers the controller with Manager
 func RegisterWithManager(mgr ctrl.Manager, opts Options) error {
 	split := strings.Split(opts.InstanceSelector, "=")