From 0abc84aba9d674b9c67902f0e23b46e66c9fe4eb Mon Sep 17 00:00:00 2001 From: Jeff Mesnil Date: Fri, 10 Mar 2023 10:09:37 +0100 Subject: [PATCH] [#266] Update Pods Security Standards Configure the statefulset's pods to run in non-root mode. It drops all security capabilities and does not allow priviledge escalation. This fixes #266 WIP add security context to statefulset Signed-off-by: Jeff Mesnil --- pkg/resources/statefulsets/statefulset.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/pkg/resources/statefulsets/statefulset.go b/pkg/resources/statefulsets/statefulset.go index 2843d70a..01a9c55a 100644 --- a/pkg/resources/statefulsets/statefulset.go +++ b/pkg/resources/statefulsets/statefulset.go @@ -56,6 +56,12 @@ func NewStatefulSet(w *wildflyv1alpha1.WildFlyServer, labels map[string]string, wildflyImageTypeAnnotation = resources.ImageTypeBootable } + allowPrivilegeEscalation := new(bool) + *allowPrivilegeEscalation = false + + runAsNonRoot := new(bool) + *runAsNonRoot = true + statefulSet := &appsv1.StatefulSet{ TypeMeta: metav1.TypeMeta{ APIVersion: "apps/v1", @@ -84,6 +90,9 @@ func NewStatefulSet(w *wildflyv1alpha1.WildFlyServer, labels map[string]string, }, }, Spec: corev1.PodSpec{ + SecurityContext: &corev1.PodSecurityContext{ + RunAsNonRoot: runAsNonRoot, + }, Containers: []corev1.Container{{ Name: w.Name, Image: applicationImage, @@ -102,6 +111,14 @@ func NewStatefulSet(w *wildflyv1alpha1.WildFlyServer, labels map[string]string, ReadinessProbe: createReadinessProbe(w), // Resources Resources: createResources(w.Spec.Resources), + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: allowPrivilegeEscalation, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + "ALL", + }, + }, + }, }}, ServiceAccountName: w.Spec.ServiceAccountName, },