Skip to content

Commit

Permalink
[#266] Updated Pod security standards
Browse files Browse the repository at this point in the history
* Add a default Security Context if the user does not specify one from the
WildFlyServerSpec.
* In the CSV, updates the operator's own deployment to comply with the
  security standards.

This fixes #266

Signed-off-by: Jeff Mesnil <[email protected]>
  • Loading branch information
jmesnil committed Mar 29, 2023
1 parent 7aa9c1b commit a591440
Show file tree
Hide file tree
Showing 6 changed files with 42 additions and 3 deletions.
4 changes: 3 additions & 1 deletion api/v1alpha1/wildflyserver_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,9 @@ type WildFlyServerSpec struct {
// ResourcesSpec defines the resources used by the WildFlyServer, ie CPU and memory, use limits and requests.
// More info: https://pkg.go.dev/k8s.io/[email protected]/core/v1#ResourceRequirements
Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
// SecurityContext
// SecurityContext defines the security capabilities required to run the application.
// If omitted, a default security context is created which runs with a non-root "jboss (185)" user without priviledges
// escalation and all security capabilities dropped.
SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
}

Expand Down
2 changes: 1 addition & 1 deletion api/v1alpha1/zz_generated.openapi.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 9 additions & 0 deletions bundle/manifests/wildfly-operator.clusterserviceversion.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,16 @@ spec:
requests:
cpu: 100m
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- ALL
serviceAccountName: wildfly-operator
securityContext:
seccompProfile:
type: RuntimeDefault
terminationGracePeriodSeconds: 10
permissions:
- rules:
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -696,6 +696,7 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB
golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
Expand Down Expand Up @@ -1089,6 +1090,7 @@ k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8
k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
k8s.io/gengo v0.0.0-20200428234225-8167cfdcfc14/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c h1:GohjlNKauSai7gN4wsJkeZ3WAJx4Sh+oT/b5IYn5suA=
k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
Expand Down
2 changes: 1 addition & 1 deletion main.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ func main() {
flag.BoolVar(&enableLeaderElection, "leader-elect", false,
"Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.")
opts := zap.Options{
// Development: true, // Commented out to use default production options
// Development: true, // Commented out to use default production options
}
opts.BindFlags(flag.CommandLine)
flag.Parse()
Expand Down
26 changes: 26 additions & 0 deletions pkg/resources/statefulsets/statefulset.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,15 @@ func NewStatefulSet(w *wildflyv1alpha1.WildFlyServer, labels map[string]string,
wildflyImageTypeAnnotation = resources.ImageTypeBootable
}

allowPrivilegeEscalation := new(bool)
*allowPrivilegeEscalation = false

runAsNonRoot := new(bool)
*runAsNonRoot = true

jbossUser := new(int64)
*jbossUser = 185

statefulSet := &appsv1.StatefulSet{
TypeMeta: metav1.TypeMeta{
APIVersion: "apps/v1",
Expand Down Expand Up @@ -84,6 +93,11 @@ func NewStatefulSet(w *wildflyv1alpha1.WildFlyServer, labels map[string]string,
},
},
Spec: corev1.PodSpec{
SecurityContext: &corev1.PodSecurityContext{
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
Containers: []corev1.Container{{
Name: w.Name,
Image: applicationImage,
Expand Down Expand Up @@ -119,6 +133,18 @@ func NewStatefulSet(w *wildflyv1alpha1.WildFlyServer, labels map[string]string,
// if the user specified the securityContext directive propagate it to the container (required for HPA).
if w.Spec.SecurityContext != nil {
statefulSet.Spec.Template.Spec.Containers[0].SecurityContext = *&w.Spec.SecurityContext
} else {
// otherwise, use a default security context without any security priviledges
statefulSet.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
AllowPrivilegeEscalation: allowPrivilegeEscalation,
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{
"ALL",
},
},
RunAsNonRoot: runAsNonRoot,
RunAsUser: jbossUser,
}
}

if len(w.Spec.EnvFrom) > 0 {
Expand Down

0 comments on commit a591440

Please sign in to comment.