boost default pod security

Signed-off-by: Scott Trent <[email protected]>
sustainable-computing-io · Sep 30, 2024 · 6148ebe · 6148ebe
1 parent 75a3e98
commit 6148ebe
Show file tree

Hide file tree

Showing 5 changed files with 5 additions and 17 deletions.
diff --git a/bundle/manifests/susql-operator.clusterserviceversion.yaml b/bundle/manifests/susql-operator.clusterserviceversion.yaml
@@ -28,7 +28,7 @@ metadata:
     capabilities: Basic Install
     categories: Monitoring
     containerImage: quay.io/sustainable_computing_io/susql_operator:0.0.32
-    createdAt: "2024-09-30T02:37:03Z"
+    createdAt: "2024-09-30T05:10:03Z"
     description: 'Aggregates energy and CO2 emission data for pods tagged with SusQL
       labels '
     features.operators.openshift.io/disconnected: "false"
@@ -212,9 +212,7 @@ spec:
                     drop:
                     - ALL
                   readOnlyRootFilesystem: true
-                  runAsGroup: 14001
                   runAsNonRoot: true
-                  runAsUser: 14001
               - command:
                 - /manager
                 env:
@@ -339,12 +337,9 @@ spec:
                   capabilities:
                     drop:
                     - ALL
-                  runAsGroup: 12001
-                  runAsUser: 12001
+                  readOnlyRootFilesystem: true
               securityContext:
-                runAsGroup: 11001
                 runAsNonRoot: true
-                runAsUser: 11001
               serviceAccountName: susql-operator-susql-controller-manager
               terminationGracePeriodSeconds: 10
       permissions:

diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
@@ -14,8 +14,6 @@ spec:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
           runAsNonRoot: true
-          runAsUser: 14001
-          runAsGroup: 14001
           capabilities:
             drop:
               - "ALL"

diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml
@@ -10,9 +10,8 @@ spec:
       - name: manager
         imagePullPolicy: Always
         securityContext:
-          runAsUser: 11001
-          runAsGroup: 11001
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           runAsNonRoot: true
           capabilities:
             drop:

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -57,8 +57,6 @@ spec:
       #               - linux
       securityContext:
         runAsNonRoot: true
-        runAsUser: 11001
-        runAsGroup: 11001
         # TODO(user): For common cases that do not require escalating privileges
         # it is recommended to ensure that all your Pods/Containers are restrictive.
         # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
@@ -165,9 +163,8 @@ spec:
         imagePullPolicy: Always
         name: manager
         securityContext:
-          runAsUser: 12001
-          runAsGroup: 12001
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem : true
           capabilities:
             drop:
               - "ALL"

diff --git a/deployment/susql-controller/templates/deployment.yaml b/deployment/susql-controller/templates/deployment.yaml
@@ -24,9 +24,8 @@ spec:
                   image: {{ required "Please specify a 'containerImage' in the user file" .Values.containerImage }}
                   imagePullPolicy: {{ .Values.imagePullPolicy | default "Always" }}
                   securityContext:
-                      runAsUser: 10001
-                      runAsGroup: 10001
                       allowPrivilegeEscalation: false
+                      readOnlyRootFilesystem: true
                       runAsNonRoot: true
                       capabilities:
                           drop: