Security context changes

* Added fsGroup 0 to the agent pod * moved allowPrivilegeEscalation in the DB sts to the container security context Signed-off-by: Danny Zaken <[email protected]> (cherry picked from commit 45a214b)
tangledbytes · May 8, 2024 · ad93b4d · ad93b4d
1 parent 9838c75
commit ad93b4d
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 4 deletions.
diff --git a/deploy/internal/pod-agent.yaml b/deploy/internal/pod-agent.yaml
@@ -35,6 +35,11 @@ spec:
       securityContext:
         runAsNonRoot: true
         allowPrivilegeEscalation: false
+  securityContext:
+    runAsUser: 10001
+    runAsGroup: 0
+    fsGroup: 0
+    fsGroupChangePolicy: "OnRootMismatch"
   volumes:
     - name: tmp-logs-vol
       emptyDir: {}

diff --git a/deploy/internal/statefulset-postgres-db.yaml b/deploy/internal/statefulset-postgres-db.yaml
@@ -81,6 +81,9 @@ spec:
                 key: password
                 name: noobaa-db
         imagePullPolicy: "IfNotPresent"
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
         ports:
           - containerPort: 5432
         resources:
@@ -109,7 +112,6 @@ spec:
         runAsGroup: 0
         fsGroup: 0
         fsGroupChangePolicy: "OnRootMismatch"
-        allowPrivilegeEscalation: false
   volumeClaimTemplates:
     - metadata:
         name: db

diff --git a/pkg/bundle/deploy.go b/pkg/bundle/deploy.go
@@ -4221,7 +4221,7 @@ spec:
             value: KUBERNETES
       restartPolicy: OnFailure`
 
-const Sha256_deploy_internal_pod_agent_yaml = "0f58d0ef2d3ffce46680db6c44878cfdcdcf0942867d27768cb0636891157e2e"
+const Sha256_deploy_internal_pod_agent_yaml = "de840ba1da0fc16cab8e1ddf8af35f886be35dbefa449e73dcf75b5659001aa1"
 
 const File_deploy_internal_pod_agent_yaml = `apiVersion: v1
 kind: Pod
@@ -4260,6 +4260,11 @@ spec:
       securityContext:
         runAsNonRoot: true
         allowPrivilegeEscalation: false
+  securityContext:
+    runAsUser: 10001
+    runAsGroup: 0
+    fsGroup: 0
+    fsGroupChangePolicy: "OnRootMismatch"
   volumes:
     - name: tmp-logs-vol
       emptyDir: {}
@@ -5011,7 +5016,7 @@ spec:
           storage: 50Gi
 `
 
-const Sha256_deploy_internal_statefulset_postgres_db_yaml = "3a83f8f0cea0d0b909834afb3de3009ed9e1e7347d82c31fc65cc8e5016b247b"
+const Sha256_deploy_internal_statefulset_postgres_db_yaml = "ea7ea63d019cb84327e89fbfa6a34788e0f43726ae8b2446eb1801e2a50240e1"
 
 const File_deploy_internal_statefulset_postgres_db_yaml = `apiVersion: apps/v1
 kind: StatefulSet
@@ -5096,6 +5101,9 @@ spec:
                 key: password
                 name: noobaa-db
         imagePullPolicy: "IfNotPresent"
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
         ports:
           - containerPort: 5432
         resources:
@@ -5124,7 +5132,6 @@ spec:
         runAsGroup: 0
         fsGroup: 0
         fsGroupChangePolicy: "OnRootMismatch"
-        allowPrivilegeEscalation: false
   volumeClaimTemplates:
     - metadata:
         name: db