[wildfly#266] Updated Pod security standards

* Add a default Security Context if the user does not specify one from the WildFlyServerSpec. * In the CSV, updates the operator's own deployment to comply with the security standards. This fixes wildfly#266 Signed-off-by: Jeff Mesnil <[email protected]>
jmesnil · Mar 13, 2023 · a809ab9 · a809ab9
1 parent 5121046
commit a809ab9
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/api/v1alpha1/wildflyserver_types.go b/api/v1alpha1/wildflyserver_types.go
@@ -68,6 +68,8 @@ type WildFlyServerSpec struct {
 	// More info: https://pkg.go.dev/k8s.io/[email protected]/core/v1#ResourceRequirements
 	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
 	// SecurityContext
+	// If omitted, a default security context is created to deploy the application in non-root user without priviledges
+	// escalation and all security capabilities dropped.
 	SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
 }
 

diff --git a/bundle/manifests/wildfly-operator.clusterserviceversion.yaml b/bundle/manifests/wildfly-operator.clusterserviceversion.yaml
@@ -95,7 +95,14 @@ spec:
                   requests:
                     cpu: 100m
                     memory: 20Mi
+                securityContext:
+                  allowPrivilegeEscalation: false
+                  capabilities:
+                    drop:
+                      - ALL
               serviceAccountName: wildfly-operator
+              securityContext:
+                runAsNonRoot: true
               terminationGracePeriodSeconds: 10
       permissions:
       - rules:

diff --git a/pkg/resources/statefulsets/statefulset.go b/pkg/resources/statefulsets/statefulset.go
@@ -56,6 +56,12 @@ func NewStatefulSet(w *wildflyv1alpha1.WildFlyServer, labels map[string]string,
 		wildflyImageTypeAnnotation = resources.ImageTypeBootable
 	}
 
+	allowPrivilegeEscalation := new(bool)
+	*allowPrivilegeEscalation = false
+
+	runAsNonRoot := new(bool)
+	*runAsNonRoot = true
+
 	statefulSet := &appsv1.StatefulSet{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "apps/v1",
@@ -119,6 +125,17 @@ func NewStatefulSet(w *wildflyv1alpha1.WildFlyServer, labels map[string]string,
 	// if the user specified the securityContext directive propagate it to the container (required for HPA).
 	if w.Spec.SecurityContext != nil {
 		statefulSet.Spec.Template.Spec.Containers[0].SecurityContext = *&w.Spec.SecurityContext
+	} else {
+		// otherwise, use a default security context without any security priviledges
+		statefulSet.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
+			AllowPrivilegeEscalation: allowPrivilegeEscalation,
+			Capabilities:             &corev1.Capabilities{
+				Drop: []corev1.Capability{
+					"ALL",
+				},
+			},
+			RunAsNonRoot: runAsNonRoot,
+		}
 	}
 
 	if len(w.Spec.EnvFrom) > 0 {