fix: Set seccomp profiles and grant SAs necessary premissions to run

When running in namespace with Pod Security Standard profile "restricted" we need to set RunAsNonRoot and SeccompProfile to all workloads running on that namespace. Futhermore on OpenShift to run with a SeccompProfile set we need to grant service accounts premisisons to use the SCC nonroot-v2 #149
rhobs · Jun 2, 2022 · 8fd94c6 · 8fd94c6
1 parent 390a4aa
commit 8fd94c6
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 1 deletion.
diff --git a/deploy/dependencies/kustomization.yaml b/deploy/dependencies/kustomization.yaml
@@ -40,6 +40,11 @@ patches:
                     cpu: 5m
                     memory: 150Mi
                 terminationMessagePolicy: FallbackToLogsOnError
+            securityContext:
+              runAsNonRoot: true
+              runAsUser: 65534
+              seccompProfile:
+                type: RuntimeDefault
   - patch: |-
       - op: remove
         path: /spec/template/spec/nodeSelector
@@ -48,3 +53,20 @@ patches:
       version: v1
       kind: Deployment
 
+  - patch: |-
+      - op: add
+        path: /rules/-
+        value:
+          apiGroups:
+            - security.openshift.io
+          resourceNames:
+            - nonroot-v2
+          resources:
+            - securitycontextconstraints
+          verbs:
+            - use
+    target:
+      group: rbac.authorization.k8s.io
+      version: v1
+      kind: ClusterRole
+      name: prometheus-operator
diff --git a/pkg/controllers/monitoring/monitoring-stack/alertmanager.go b/pkg/controllers/monitoring/monitoring-stack/alertmanager.go
@@ -3,6 +3,8 @@ package monitoringstack
 import (
 	stack "github.com/rhobs/observability-operator/pkg/apis/monitoring/v1alpha1"
 	policyv1 "k8s.io/api/policy/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/utils/pointer"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -65,6 +67,12 @@ func newAlertmanager(
 					},
 				},
 			},
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsNonRoot: pointer.Bool(true),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+			},
 		},
 	}
 }
@@ -119,3 +127,24 @@ func newAlertmanagerPDB(ms *stack.MonitoringStack, instanceSelectorKey string, i
 		},
 	}
 }
+
+func newAlertManagerRole(ms *stack.MonitoringStack, rbacResourceName string, rbacVerbs []string) *rbacv1.Role {
+	return &rbacv1.Role{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: rbacv1.SchemeGroupVersion.String(),
+			Kind:       "Role",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      rbacResourceName,
+			Namespace: ms.Namespace,
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups:     []string{"security.openshift.io"},
+				Resources:     []string{"securitycontextconstraints"},
+				ResourceNames: []string{"nonroot-v2"},
+				Verbs:         []string{"use"},
+			},
+		},
+	}
+}
diff --git a/pkg/controllers/monitoring/monitoring-stack/components.go b/pkg/controllers/monitoring/monitoring-stack/components.go
@@ -7,6 +7,7 @@ import (
 	stack "github.com/rhobs/observability-operator/pkg/apis/monitoring/v1alpha1"
 
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/pointer"
 
 	monv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	policyv1 "k8s.io/api/policy/v1"
@@ -49,6 +50,8 @@ func stackComponentReconcilers(ms *stack.MonitoringStack, instanceSelectorKey st
 		defaultReconciler(newRoleBinding(ms, prometheusRBACResourceName), ms),
 		defaultReconciler(newAdditionalScrapeConfigsSecret(ms, additionalScrapeConfigsSecretName), ms),
 		defaultReconciler(newServiceAccount(alertmanagerRBACResourceName, ms.Namespace), ms),
+		defaultReconciler(newAlertManagerRole(ms, alertmanagerRBACResourceName, rbacVerbs), ms),
+		defaultReconciler(newRoleBinding(ms, alertmanagerRBACResourceName), ms),
 		defaultReconciler(newAlertmanager(ms, alertmanagerRBACResourceName, instanceSelectorKey, instanceSelectorValue), ms),
 		defaultReconciler(newAlertmanagerService(ms, instanceSelectorKey, instanceSelectorValue), ms),
 		defaultReconciler(newAlertmanagerPDB(ms, instanceSelectorKey, instanceSelectorValue), ms),
@@ -80,6 +83,12 @@ func newPrometheusRole(ms *stack.MonitoringStack, rbacResourceName string, rbacV
 				Resources: []string{"ingresses"},
 				Verbs:     rbacVerbs,
 			},
+			{
+				APIGroups:     []string{"security.openshift.io"},
+				Resources:     []string{"securitycontextconstraints"},
+				ResourceNames: []string{"nonroot-v2"},
+				Verbs:         []string{"use"},
+			},
 		},
 	}
 }
@@ -163,7 +172,14 @@ func newPrometheus(
 					},
 					Key: AdditionalScrapeConfigsSelfScrapeKey,
 				},
-				Storage:        storageForPVC(config.PersistentVolumeClaim),
+				Storage: storageForPVC(config.PersistentVolumeClaim),
+				SecurityContext: &corev1.PodSecurityContext{
+					RunAsNonRoot: pointer.Bool(true),
+					RunAsUser:    pointer.Int64(65534),
+					SeccompProfile: &corev1.SeccompProfile{
+						Type: corev1.SeccompProfileTypeRuntimeDefault,
+					},
+				},
 				RemoteWrite:    config.RemoteWrite,
 				ExternalLabels: config.ExternalLabels,
 			},