From 53c7ba209dd69a846b19c7c117947312d3c2f655 Mon Sep 17 00:00:00 2001 From: Utkarsh Srivastava Date: Wed, 10 Apr 2024 16:08:29 +0530 Subject: [PATCH] SCC fixes Signed-off-by: Utkarsh Srivastava include pod agent change Signed-off-by: Utkarsh Srivastava make gen-api Signed-off-by: Utkarsh Srivastava --- deploy/internal/pod-agent.yaml | 3 ++ deploy/internal/statefulset-core.yaml | 3 ++ deploy/internal/statefulset-postgres-db.yaml | 1 + deploy/role.yaml | 9 ++++ deploy/scc.yaml | 13 +++++ deploy/scc_db.yaml | 5 ++ deploy/scc_endpoint.yaml | 3 +- pkg/bundle/deploy.go | 51 +++++++++++++++++--- 8 files changed, 79 insertions(+), 9 deletions(-) create mode 100644 deploy/scc.yaml diff --git a/deploy/internal/pod-agent.yaml b/deploy/internal/pod-agent.yaml index 0dc25732a..8052e777e 100644 --- a/deploy/internal/pod-agent.yaml +++ b/deploy/internal/pod-agent.yaml @@ -32,6 +32,9 @@ spec: mountPath: /noobaa_storage - name: tmp-logs-vol mountPath: /usr/local/noobaa/logs + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false volumes: - name: tmp-logs-vol emptyDir: {} diff --git a/deploy/internal/statefulset-core.yaml b/deploy/internal/statefulset-core.yaml index 44c9e237d..2297973fc 100644 --- a/deploy/internal/statefulset-core.yaml +++ b/deploy/internal/statefulset-core.yaml @@ -139,6 +139,9 @@ spec: valueFrom: resourceFieldRef: resource: limits.memory + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false - name: noobaa-log-processor image: NOOBAA_CORE_IMAGE command: diff --git a/deploy/internal/statefulset-postgres-db.yaml b/deploy/internal/statefulset-postgres-db.yaml index 60422f21a..764eb560b 100644 --- a/deploy/internal/statefulset-postgres-db.yaml +++ b/deploy/internal/statefulset-postgres-db.yaml @@ -64,6 +64,7 @@ spec: runAsGroup: 0 fsGroup: 0 fsGroupChangePolicy: "OnRootMismatch" + allowPrivilegeEscalation: false volumeClaimTemplates: - metadata: name: db diff --git a/deploy/role.yaml b/deploy/role.yaml index 285dd464d..1b620211b 100644 --- a/deploy/role.yaml +++ b/deploy/role.yaml @@ -3,6 +3,14 @@ kind: Role metadata: name: noobaa rules: +- apiGroups: + - security.openshift.io + resourceNames: + - noobaa + resources: + - securitycontextconstraints + verbs: + - use - apiGroups: - noobaa.io resources: @@ -132,3 +140,4 @@ rules: - '*' verbs: - '*' + diff --git a/deploy/scc.yaml b/deploy/scc.yaml new file mode 100644 index 000000000..bd292e663 --- /dev/null +++ b/deploy/scc.yaml @@ -0,0 +1,13 @@ +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: noobaa +requiredDropCapabilities: + - ALL +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +supplementalGroups: + type: RunAsAny +readOnlyRootFilesystem: true diff --git a/deploy/scc_db.yaml b/deploy/scc_db.yaml index 7fdc10431..fec23153a 100644 --- a/deploy/scc_db.yaml +++ b/deploy/scc_db.yaml @@ -10,6 +10,11 @@ allowHostPID: false allowHostPorts: false allowPrivilegedContainer: false readOnlyRootFilesystem: false +allowedCapabilities: +- SETUID +- SETGID +requiredDropCapabilities: + - ALL fsGroup: type: RunAsAny runAsUser: diff --git a/deploy/scc_endpoint.yaml b/deploy/scc_endpoint.yaml index c621ed822..3b63f5f68 100644 --- a/deploy/scc_endpoint.yaml +++ b/deploy/scc_endpoint.yaml @@ -19,8 +19,7 @@ groups: [] priority: null readOnlyRootFilesystem: false requiredDropCapabilities: -- KILL -- MKNOD + - ALL runAsUser: type: RunAsAny seLinuxContext: diff --git a/pkg/bundle/deploy.go b/pkg/bundle/deploy.go index c0d5391ab..565d50ea3 100644 --- a/pkg/bundle/deploy.go +++ b/pkg/bundle/deploy.go @@ -4279,6 +4279,9 @@ spec: mountPath: /noobaa_storage - name: tmp-logs-vol mountPath: /usr/local/noobaa/logs + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false volumes: - name: tmp-logs-vol emptyDir: {} @@ -4806,7 +4809,7 @@ spec: noobaa-s3-svc: "true" ` -const Sha256_deploy_internal_statefulset_core_yaml = "56bc0da847d71be17138025a208dbf8dc0b02e6f4817bbbac4ce828429d86c26" +const Sha256_deploy_internal_statefulset_core_yaml = "9e5d53eeabce0afc9f3059802f579dc1b69e07c9b1954a8e9bdb9008ac3534d0" const File_deploy_internal_statefulset_core_yaml = `apiVersion: apps/v1 kind: StatefulSet @@ -4949,6 +4952,9 @@ spec: valueFrom: resourceFieldRef: resource: limits.memory + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false - name: noobaa-log-processor image: NOOBAA_CORE_IMAGE command: @@ -4987,7 +4993,7 @@ spec: resource: limits.memory ` -const Sha256_deploy_internal_statefulset_postgres_db_yaml = "947307ea1e93ce5b7789bd16352eb7848e1483cd36e7fc489d9ee156e4e7d8bd" +const Sha256_deploy_internal_statefulset_postgres_db_yaml = "efd4562dd6ce535624a56426dc921c584c5a761c8c2540d4823f9e410fcd0347" const File_deploy_internal_statefulset_postgres_db_yaml = `apiVersion: apps/v1 kind: StatefulSet @@ -5055,6 +5061,7 @@ spec: runAsGroup: 0 fsGroup: 0 fsGroupChangePolicy: "OnRootMismatch" + allowPrivilegeEscalation: false volumeClaimTemplates: - metadata: name: db @@ -5959,13 +5966,21 @@ spec: # name: socket ` -const Sha256_deploy_role_yaml = "ce3cbcb74a9309158d7cf71ef38e747fe76c1bc0fb0f15d3e5404a746ce988e1" +const Sha256_deploy_role_yaml = "7738cea71cb4fdb56055d3e3bb6033de9f5e0758c8423306ef6e27aceca15f71" const File_deploy_role_yaml = `apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: noobaa rules: +- apiGroups: + - security.openshift.io + resourceNames: + - noobaa + resources: + - securitycontextconstraints + verbs: + - use - apiGroups: - noobaa.io resources: @@ -6095,6 +6110,7 @@ rules: - '*' verbs: - '*' + ` const Sha256_deploy_role_binding_yaml = "59a2627156ed3db9cd1a4d9c47e8c1044279c65e84d79c525e51274329cb16ff" @@ -6340,7 +6356,24 @@ rules: - bucketclasses ` -const Sha256_deploy_scc_db_yaml = "747ebcab94f3f3d42037016f30fa82df085ee5a0a405cbee61e8fdfdfcfc37b0" +const Sha256_deploy_scc_yaml = "baa4d3a3def2d63a5d9e53bc4fc1ac961f9b4fe5172db7118d1529caa14e2191" + +const File_deploy_scc_yaml = `apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: noobaa +requiredDropCapabilities: + - ALL +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +supplementalGroups: + type: RunAsAny +readOnlyRootFilesystem: true +` + +const Sha256_deploy_scc_db_yaml = "af4d7f9119c7ef0902d424da530bb3dd3c21c440c7267956d4f5304355b68441" const File_deploy_scc_db_yaml = `apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints @@ -6354,6 +6387,11 @@ allowHostPID: false allowHostPorts: false allowPrivilegedContainer: false readOnlyRootFilesystem: false +allowedCapabilities: +- SETUID +- SETGID +requiredDropCapabilities: + - ALL fsGroup: type: RunAsAny runAsUser: @@ -6364,7 +6402,7 @@ supplementalGroups: type: RunAsAny ` -const Sha256_deploy_scc_endpoint_yaml = "f097a29eb11230a7612ab5f86894da523a743093e21eb2217a39332c5a31b10c" +const Sha256_deploy_scc_endpoint_yaml = "f9407c9f1fd1876eabbaad4cf910a05e57db33a2d590b2e2efad22bd1e3f8876" const File_deploy_scc_endpoint_yaml = `apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints @@ -6387,8 +6425,7 @@ groups: [] priority: null readOnlyRootFilesystem: false requiredDropCapabilities: -- KILL -- MKNOD + - ALL runAsUser: type: RunAsAny seLinuxContext: