SCC fixes

Signed-off-by: Utkarsh Srivastava <[email protected]> include pod agent change Signed-off-by: Utkarsh Srivastava <[email protected]> make gen-api Signed-off-by: Utkarsh Srivastava <[email protected]> update deploy.go Signed-off-by: Utkarsh Srivastava <[email protected]> address PR comments Signed-off-by: Utkarsh Srivastava <[email protected]> (cherry picked from commit 76d4722)
tangledbytes · May 7, 2024 · 9838c75 · 9838c75
1 parent 30bf42e
commit 9838c75
Show file tree

Hide file tree

Showing 8 changed files with 144 additions and 16 deletions.
diff --git a/deploy/internal/pod-agent.yaml b/deploy/internal/pod-agent.yaml
@@ -32,6 +32,9 @@ spec:
           mountPath: /noobaa_storage
         - name: tmp-logs-vol
           mountPath: /usr/local/noobaa/logs
+      securityContext:
+        runAsNonRoot: true
+        allowPrivilegeEscalation: false
   volumes:
     - name: tmp-logs-vol
       emptyDir: {}

diff --git a/deploy/internal/statefulset-core.yaml b/deploy/internal/statefulset-core.yaml
@@ -141,3 +141,42 @@ spec:
               valueFrom:
                 resourceFieldRef:
                   resource: limits.memory
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+        - name: noobaa-log-processor
+          image: NOOBAA_CORE_IMAGE
+          command:
+            [
+              "/root/node_modules/noobaa-core/src/deploy/NVA_build/noobaa_logs.sh",
+            ]
+          volumeMounts:
+            - name: logs
+              mountPath: /log
+          resources:
+            requests:
+              cpu: "200m"
+              memory: "500Mi"
+            limits:
+              cpu: "200m"
+              memory: "500Mi"
+          ports:
+            - containerPort: 5140
+            - containerPort: 6514
+          env:
+            - name: CONTAINER_CPU_REQUEST
+              valueFrom:
+                resourceFieldRef:
+                  resource: requests.cpu
+            - name: CONTAINER_MEM_REQUEST
+              valueFrom:
+                resourceFieldRef:
+                  resource: requests.memory
+            - name: CONTAINER_CPU_LIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+            - name: CONTAINER_MEM_LIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
diff --git a/deploy/internal/statefulset-postgres-db.yaml b/deploy/internal/statefulset-postgres-db.yaml
@@ -109,6 +109,7 @@ spec:
         runAsGroup: 0
         fsGroup: 0
         fsGroupChangePolicy: "OnRootMismatch"
+        allowPrivilegeEscalation: false
   volumeClaimTemplates:
     - metadata:
         name: db

diff --git a/deploy/role.yaml b/deploy/role.yaml
@@ -3,6 +3,14 @@ kind: Role
 metadata:
   name: noobaa
 rules:
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - noobaa
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
 - apiGroups:
   - noobaa.io
   resources:

diff --git a/deploy/scc.yaml b/deploy/scc.yaml
@@ -0,0 +1,13 @@
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: noobaa
+requiredDropCapabilities:
+  - ALL
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+readOnlyRootFilesystem: true
diff --git a/deploy/scc_db.yaml b/deploy/scc_db.yaml
@@ -10,9 +10,8 @@ allowHostPID: false
 allowHostPorts: false
 allowPrivilegedContainer: false
 readOnlyRootFilesystem: false
-allowedCapabilities:
-- SETUID
-- SETGID
+requiredDropCapabilities:
+  - ALL
 fsGroup:
   type: RunAsAny
 runAsUser:

diff --git a/deploy/scc_endpoint.yaml b/deploy/scc_endpoint.yaml
@@ -19,8 +19,7 @@ groups: []
 priority: null
 readOnlyRootFilesystem: false
 requiredDropCapabilities:
-- KILL
-- MKNOD
+  - ALL
 runAsUser:
   type: RunAsAny
 seLinuxContext:

diff --git a/pkg/bundle/deploy.go b/pkg/bundle/deploy.go
@@ -4221,7 +4221,7 @@ spec:
             value: KUBERNETES
       restartPolicy: OnFailure`
 
-const Sha256_deploy_internal_pod_agent_yaml = "204e11eea569564b507010d13c43a2d3ad5feae9e86666a08904508eab231830"
+const Sha256_deploy_internal_pod_agent_yaml = "0f58d0ef2d3ffce46680db6c44878cfdcdcf0942867d27768cb0636891157e2e"
 
 const File_deploy_internal_pod_agent_yaml = `apiVersion: v1
 kind: Pod
@@ -4257,6 +4257,9 @@ spec:
           mountPath: /noobaa_storage
         - name: tmp-logs-vol
           mountPath: /usr/local/noobaa/logs
+      securityContext:
+        runAsNonRoot: true
+        allowPrivilegeEscalation: false
   volumes:
     - name: tmp-logs-vol
       emptyDir: {}
@@ -4762,7 +4765,7 @@ spec:
       noobaa-s3-svc: "true"
 `
 
-const Sha256_deploy_internal_statefulset_core_yaml = "39dbe4e822b69f1998cea34437e97cc58db4f577e9143eb6db087f2da083f73e"
+const Sha256_deploy_internal_statefulset_core_yaml = "cd93ddb76784d09de1c642cb0b29d6ff7f42c4a9c571d810a4a767bee621f046"
 
 const File_deploy_internal_statefulset_core_yaml = `apiVersion: apps/v1
 kind: StatefulSet
@@ -4907,6 +4910,45 @@ spec:
               valueFrom:
                 resourceFieldRef:
                   resource: limits.memory
+          securityContext:
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+        - name: noobaa-log-processor
+          image: NOOBAA_CORE_IMAGE
+          command:
+            [
+              "/root/node_modules/noobaa-core/src/deploy/NVA_build/noobaa_logs.sh",
+            ]
+          volumeMounts:
+            - name: logs
+              mountPath: /log
+          resources:
+            requests:
+              cpu: "200m"
+              memory: "500Mi"
+            limits:
+              cpu: "200m"
+              memory: "500Mi"
+          ports:
+            - containerPort: 5140
+            - containerPort: 6514
+          env:
+            - name: CONTAINER_CPU_REQUEST
+              valueFrom:
+                resourceFieldRef:
+                  resource: requests.cpu
+            - name: CONTAINER_MEM_REQUEST
+              valueFrom:
+                resourceFieldRef:
+                  resource: requests.memory
+            - name: CONTAINER_CPU_LIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+            - name: CONTAINER_MEM_LIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
 `
 
 const Sha256_deploy_internal_statefulset_db_yaml = "25924f84967caebdeb5d61c2181f0ba04da92306fed7e44834dbcc7480b8d48a"
@@ -4969,7 +5011,7 @@ spec:
           storage: 50Gi
 `
 
-const Sha256_deploy_internal_statefulset_postgres_db_yaml = "0accc047982dbd1b8c207c81ef2bb1ae8c61c312915d3c2d196799ca6f146816"
+const Sha256_deploy_internal_statefulset_postgres_db_yaml = "3a83f8f0cea0d0b909834afb3de3009ed9e1e7347d82c31fc65cc8e5016b247b"
 
 const File_deploy_internal_statefulset_postgres_db_yaml = `apiVersion: apps/v1
 kind: StatefulSet
@@ -5082,6 +5124,7 @@ spec:
         runAsGroup: 0
         fsGroup: 0
         fsGroupChangePolicy: "OnRootMismatch"
+        allowPrivilegeEscalation: false
   volumeClaimTemplates:
     - metadata:
         name: db
@@ -5986,13 +6029,21 @@ spec:
         #     name: socket
 `
 
-const Sha256_deploy_role_yaml = "ce3cbcb74a9309158d7cf71ef38e747fe76c1bc0fb0f15d3e5404a746ce988e1"
+const Sha256_deploy_role_yaml = "e145ce24b4267e2e0e63ab56442295bcc605bdc4f6ef723ad6cc15fd38973101"
 
 const File_deploy_role_yaml = `apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: noobaa
 rules:
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - noobaa
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
 - apiGroups:
   - noobaa.io
   resources:
@@ -6367,7 +6418,24 @@ rules:
       - bucketclasses
 `
 
-const Sha256_deploy_scc_db_yaml = "d91c727214d8879843da81ee8778bf6ad6d06af6bdea0a36ac494b5ccc706d7a"
+const Sha256_deploy_scc_yaml = "baa4d3a3def2d63a5d9e53bc4fc1ac961f9b4fe5172db7118d1529caa14e2191"
+
+const File_deploy_scc_yaml = `apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: noobaa
+requiredDropCapabilities:
+  - ALL
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+readOnlyRootFilesystem: true
+`
+
+const Sha256_deploy_scc_db_yaml = "de2274e71f8c6e83c0288623941a75d4dabc8c13a9fb9d0c2648b8fda3968b70"
 
 const File_deploy_scc_db_yaml = `apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
@@ -6381,9 +6449,8 @@ allowHostPID: false
 allowHostPorts: false
 allowPrivilegedContainer: false
 readOnlyRootFilesystem: false
-allowedCapabilities:
-- SETUID
-- SETGID
+requiredDropCapabilities:
+  - ALL
 fsGroup:
   type: RunAsAny
 runAsUser:
@@ -6394,7 +6461,7 @@ supplementalGroups:
   type: RunAsAny
 `
 
-const Sha256_deploy_scc_endpoint_yaml = "f097a29eb11230a7612ab5f86894da523a743093e21eb2217a39332c5a31b10c"
+const Sha256_deploy_scc_endpoint_yaml = "f9407c9f1fd1876eabbaad4cf910a05e57db33a2d590b2e2efad22bd1e3f8876"
 
 const File_deploy_scc_endpoint_yaml = `apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
@@ -6417,8 +6484,7 @@ groups: []
 priority: null
 readOnlyRootFilesystem: false
 requiredDropCapabilities:
-- KILL
-- MKNOD
+  - ALL
 runAsUser:
   type: RunAsAny
 seLinuxContext: