SCC fixes

Signed-off-by: Utkarsh Srivastava <[email protected]>
tangledbytes · Apr 10, 2024 · 585249d · 585249d
1 parent f76d728
commit 585249d
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 2 deletions.
diff --git a/deploy/internal/statefulset-core.yaml b/deploy/internal/statefulset-core.yaml
@@ -139,6 +139,9 @@ spec:
               valueFrom:
                 resourceFieldRef:
                   resource: limits.memory
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
         - name: noobaa-log-processor
           image: NOOBAA_CORE_IMAGE
           command:

diff --git a/deploy/internal/statefulset-postgres-db.yaml b/deploy/internal/statefulset-postgres-db.yaml
@@ -64,6 +64,7 @@ spec:
         runAsGroup: 0
         fsGroup: 0
         fsGroupChangePolicy: "OnRootMismatch"
+        allowPrivilegeEscalation: false
   volumeClaimTemplates:
     - metadata:
         name: db

diff --git a/deploy/role.yaml b/deploy/role.yaml
@@ -3,6 +3,14 @@ kind: Role
 metadata:
   name: noobaa
 rules:
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - noobaa
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
 - apiGroups:
   - noobaa.io
   resources:
@@ -132,3 +140,4 @@ rules:
   - '*'
   verbs: 
   - '*'
+
diff --git a/deploy/scc.yaml b/deploy/scc.yaml
@@ -0,0 +1,13 @@
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: noobaa
+requiredDropCapabilities:
+  - ALL
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+readOnlyRootFilesystem: true
diff --git a/deploy/scc_db.yaml b/deploy/scc_db.yaml
@@ -10,6 +10,11 @@ allowHostPID: false
 allowHostPorts: false
 allowPrivilegedContainer: false
 readOnlyRootFilesystem: false
+allowedCapabilities:
+- SETUID
+- SETGID
+requiredDropCapabilities:
+  - ALL
 fsGroup:
   type: RunAsAny
 runAsUser:

diff --git a/deploy/scc_endpoint.yaml b/deploy/scc_endpoint.yaml
@@ -19,8 +19,7 @@ groups: []
 priority: null
 readOnlyRootFilesystem: false
 requiredDropCapabilities:
-- KILL
-- MKNOD
+  - ALL
 runAsUser:
   type: RunAsAny
 seLinuxContext: