From 66ac9cb55bb59019473d85f7b91229100b41bfcd Mon Sep 17 00:00:00 2001 From: John Mazzitelli Date: Mon, 22 Aug 2022 17:48:57 -0400 Subject: [PATCH 1/3] security context - drop all capabilities part of https://github.com/kiali/kiali/issues/5399 --- .../kiali-ossm/manifests/kiali.clusterserviceversion.yaml | 3 +++ .../default/kiali-deploy/templates/kubernetes/deployment.yaml | 3 +++ roles/default/kiali-deploy/templates/openshift/deployment.yaml | 3 +++ 3 files changed, 9 insertions(+) diff --git a/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml b/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml index 1e003798..ef9a3474 100644 --- a/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml +++ b/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml @@ -241,6 +241,9 @@ spec: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true + capabilities: + drop: + - ALL volumeMounts: - mountPath: /tmp/ansible-operator/runner name: runner diff --git a/roles/default/kiali-deploy/templates/kubernetes/deployment.yaml b/roles/default/kiali-deploy/templates/kubernetes/deployment.yaml index f9d1106e..40b527cf 100644 --- a/roles/default/kiali-deploy/templates/kubernetes/deployment.yaml +++ b/roles/default/kiali-deploy/templates/kubernetes/deployment.yaml @@ -60,6 +60,9 @@ spec: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + capabilities: + drop: + - ALL ports: - name: api-port containerPort: {{ kiali_vars.server.port }} diff --git a/roles/default/kiali-deploy/templates/openshift/deployment.yaml b/roles/default/kiali-deploy/templates/openshift/deployment.yaml index ec1750e2..05aa5e3c 100644 --- a/roles/default/kiali-deploy/templates/openshift/deployment.yaml +++ b/roles/default/kiali-deploy/templates/openshift/deployment.yaml @@ -60,6 +60,9 @@ spec: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + capabilities: + drop: + - ALL ports: - name: api-port containerPort: {{ kiali_vars.server.port }} From 97cde0a3b5885c18a242890edcfdd7be935bacca Mon Sep 17 00:00:00 2001 From: John Mazzitelli Date: Mon, 22 Aug 2022 17:55:18 -0400 Subject: [PATCH 2/3] olm metadata update --- .../1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml | 3 +++ .../1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/manifests/kiali-community/1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml b/manifests/kiali-community/1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml index 050449b3..3999e85d 100644 --- a/manifests/kiali-community/1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml +++ b/manifests/kiali-community/1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml @@ -207,6 +207,9 @@ spec: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true + capabilities: + drop: + - ALL volumeMounts: - mountPath: /tmp/ansible-operator/runner name: runner diff --git a/manifests/kiali-upstream/1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml b/manifests/kiali-upstream/1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml index afab8a58..662884eb 100644 --- a/manifests/kiali-upstream/1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml +++ b/manifests/kiali-upstream/1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml @@ -207,6 +207,9 @@ spec: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true + capabilities: + drop: + - ALL volumeMounts: - mountPath: /tmp/ansible-operator/runner name: runner From c72c30a9c45d7724751528c6bb9fbc3d68eb7ea5 Mon Sep 17 00:00:00 2001 From: John Mazzitelli Date: Mon, 22 Aug 2022 18:07:59 -0400 Subject: [PATCH 3/3] add seccompProfile setting --- .../1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml | 2 ++ .../kiali-ossm/manifests/kiali.clusterserviceversion.yaml | 4 +++- .../1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml | 2 ++ .../default/kiali-deploy/templates/kubernetes/deployment.yaml | 2 ++ .../default/kiali-deploy/templates/openshift/deployment.yaml | 2 ++ 5 files changed, 11 insertions(+), 1 deletion(-) diff --git a/manifests/kiali-community/1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml b/manifests/kiali-community/1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml index 3999e85d..7540f454 100644 --- a/manifests/kiali-community/1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml +++ b/manifests/kiali-community/1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml @@ -207,6 +207,8 @@ spec: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - ALL diff --git a/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml b/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml index ef9a3474..8e889111 100644 --- a/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml +++ b/manifests/kiali-ossm/manifests/kiali.clusterserviceversion.yaml @@ -241,6 +241,8 @@ spec: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - ALL @@ -275,7 +277,7 @@ spec: - name: RELATED_IMAGE_kiali_default value: "registry-proxy.engineering.redhat.com/rh-osbs/openshift-service-mesh-kiali-rhel8${KIALI_1_48_TAG}" - name: RELATED_IMAGE_kiali_v1_48 - value: "registry-proxy.engineering.redhat.com/rh-osbs/openshift-service-mesh-kiali-rhel8${KIALI_1_48_TAG}" + value: "registry-proxy.engineering.redhat.com/rh-osbs/openshift-service-mesh-kiali-rhel8${KIALI_1_48_TAG}" - name: RELATED_IMAGE_kiali_v1_36 value: "registry-proxy.engineering.redhat.com/rh-osbs/openshift-service-mesh-kiali-rhel8${KIALI_1_36_TAG}" - name: RELATED_IMAGE_kiali_v1_24 diff --git a/manifests/kiali-upstream/1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml b/manifests/kiali-upstream/1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml index 662884eb..4bbd40ec 100644 --- a/manifests/kiali-upstream/1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml +++ b/manifests/kiali-upstream/1.56.0/manifests/kiali.v1.56.0.clusterserviceversion.yaml @@ -207,6 +207,8 @@ spec: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - ALL diff --git a/roles/default/kiali-deploy/templates/kubernetes/deployment.yaml b/roles/default/kiali-deploy/templates/kubernetes/deployment.yaml index 40b527cf..62bdd509 100644 --- a/roles/default/kiali-deploy/templates/kubernetes/deployment.yaml +++ b/roles/default/kiali-deploy/templates/kubernetes/deployment.yaml @@ -60,6 +60,8 @@ spec: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - ALL diff --git a/roles/default/kiali-deploy/templates/openshift/deployment.yaml b/roles/default/kiali-deploy/templates/openshift/deployment.yaml index 05aa5e3c..110dda10 100644 --- a/roles/default/kiali-deploy/templates/openshift/deployment.yaml +++ b/roles/default/kiali-deploy/templates/openshift/deployment.yaml @@ -60,6 +60,8 @@ spec: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - ALL