fix: set seccomp profiles and grant SAs necessary premissions to run (#…

…154) When running in namespace with Pod Security Standard profile "restricted" we need to set RunAsNonRoot and SeccompProfile to all workloads running on that namespace. Futhermore on OpenShift to run with a SeccompProfile set we need to grant service accounts premisisons to use the SCC nonroot-v2 #149
rhobs · Jun 3, 2022 · 1d44825 · 1d44825
1 parent ad8101a
commit 1d44825
Showing 6 changed files with 88 additions and 1 deletion.
diff --git a/deploy/dependencies/kustomization.yaml b/deploy/dependencies/kustomization.yaml
@@ -40,6 +40,10 @@ patches:
                     cpu: 5m
                     memory: 150Mi
                 terminationMessagePolicy: FallbackToLogsOnError
+            securityContext:
+              runAsNonRoot: true
+              seccompProfile:
+                type: RuntimeDefault
   - patch: |-
       - op: remove
         path: /spec/template/spec/nodeSelector
@@ -48,3 +52,20 @@ patches:
       version: v1
       kind: Deployment
 
+  - patch: |-
+      - op: add
+        path: /rules/-
+        value:
+          apiGroups:
+            - security.openshift.io
+          resourceNames:
+            - nonroot-v2
+          resources:
+            - securitycontextconstraints
+          verbs:
+            - use
+    target:
+      group: rbac.authorization.k8s.io
+      version: v1
+      kind: ClusterRole
+      name: prometheus-operator
diff --git a/deploy/operator/observability-operator-cluster-role.yaml b/deploy/operator/observability-operator-cluster-role.yaml
@@ -158,3 +158,11 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - nonroot-v2
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
diff --git a/deploy/operator/observability-operator-deployment.yaml b/deploy/operator/observability-operator-deployment.yaml
@@ -22,6 +22,8 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: operator
           image: observability-operator:0.0.1
@@ -35,6 +37,9 @@ spec:
                 fieldPath: metadata.namespace
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
           resources:
             limits:
               cpu: 200m

diff --git a/pkg/controllers/monitoring/monitoring-stack/alertmanager.go b/pkg/controllers/monitoring/monitoring-stack/alertmanager.go
@@ -3,6 +3,8 @@ package monitoringstack
 import (
 	stack "github.com/rhobs/observability-operator/pkg/apis/monitoring/v1alpha1"
 	policyv1 "k8s.io/api/policy/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/utils/pointer"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -65,6 +67,14 @@ func newAlertmanager(
 					},
 				},
 			},
+			SecurityContext: &corev1.PodSecurityContext{
+				FSGroup:      pointer.Int64(AlertmanagerUserFSGroupID),
+				RunAsNonRoot: pointer.Bool(true),
+				RunAsUser:    pointer.Int64(AlertmanagerUserFSGroupID),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+			},
 		},
 	}
 }
@@ -119,3 +129,24 @@ func newAlertmanagerPDB(ms *stack.MonitoringStack, instanceSelectorKey string, i
 		},
 	}
 }
+
+func newAlertManagerRole(ms *stack.MonitoringStack, rbacResourceName string, rbacVerbs []string) *rbacv1.Role {
+	return &rbacv1.Role{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: rbacv1.SchemeGroupVersion.String(),
+			Kind:       "Role",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      rbacResourceName,
+			Namespace: ms.Namespace,
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups:     []string{"security.openshift.io"},
+				Resources:     []string{"securitycontextconstraints"},
+				ResourceNames: []string{"nonroot-v2"},
+				Verbs:         []string{"use"},
+			},
+		},
+	}
+}
diff --git a/pkg/controllers/monitoring/monitoring-stack/components.go b/pkg/controllers/monitoring/monitoring-stack/components.go
@@ -7,6 +7,7 @@ import (
 	stack "github.com/rhobs/observability-operator/pkg/apis/monitoring/v1alpha1"
 
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/pointer"
 
 	monv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	policyv1 "k8s.io/api/policy/v1"
@@ -20,6 +21,8 @@ import (
 )
 
 const AdditionalScrapeConfigsSelfScrapeKey = "self-scrape-config"
+const PrometheusUserFSGroupID = 65534
+const AlertmanagerUserFSGroupID = 65535
 
 type reconcileFunction func(ctx context.Context, c client.Client, scheme *runtime.Scheme) error
 
@@ -49,6 +52,8 @@ func stackComponentReconcilers(ms *stack.MonitoringStack, instanceSelectorKey st
 		defaultReconciler(newRoleBinding(ms, prometheusRBACResourceName), ms),
 		defaultReconciler(newAdditionalScrapeConfigsSecret(ms, additionalScrapeConfigsSecretName), ms),
 		defaultReconciler(newServiceAccount(alertmanagerRBACResourceName, ms.Namespace), ms),
+		defaultReconciler(newAlertManagerRole(ms, alertmanagerRBACResourceName, rbacVerbs), ms),
+		defaultReconciler(newRoleBinding(ms, alertmanagerRBACResourceName), ms),
 		defaultReconciler(newAlertmanager(ms, alertmanagerRBACResourceName, instanceSelectorKey, instanceSelectorValue), ms),
 		defaultReconciler(newAlertmanagerService(ms, instanceSelectorKey, instanceSelectorValue), ms),
 		defaultReconciler(newAlertmanagerPDB(ms, instanceSelectorKey, instanceSelectorValue), ms),
@@ -80,6 +85,12 @@ func newPrometheusRole(ms *stack.MonitoringStack, rbacResourceName string, rbacV
 				Resources: []string{"ingresses"},
 				Verbs:     rbacVerbs,
 			},
+			{
+				APIGroups:     []string{"security.openshift.io"},
+				Resources:     []string{"securitycontextconstraints"},
+				ResourceNames: []string{"nonroot-v2"},
+				Verbs:         []string{"use"},
+			},
 		},
 	}
 }
@@ -163,7 +174,15 @@ func newPrometheus(
 					},
 					Key: AdditionalScrapeConfigsSelfScrapeKey,
 				},
-				Storage:        storageForPVC(config.PersistentVolumeClaim),
+				Storage: storageForPVC(config.PersistentVolumeClaim),
+				SecurityContext: &corev1.PodSecurityContext{
+					FSGroup:      pointer.Int64(PrometheusUserFSGroupID),
+					RunAsNonRoot: pointer.Bool(true),
+					RunAsUser:    pointer.Int64(PrometheusUserFSGroupID),
+					SeccompProfile: &corev1.SeccompProfile{
+						Type: corev1.SeccompProfileTypeRuntimeDefault,
+					},
+				},
 				RemoteWrite:    config.RemoteWrite,
 				ExternalLabels: config.ExternalLabels,
 			},

diff --git a/pkg/controllers/monitoring/monitoring-stack/controller.go b/pkg/controllers/monitoring/monitoring-stack/controller.go
@@ -70,6 +70,9 @@ type Options struct {
 //+kubebuilder:rbac:groups="",resources=pods;services;endpoints,verbs=get;list;watch
 //+kubebuilder:rbac:groups=extensions;networking.k8s.io,resources=ingresses,verbs=get;list;watch
 
+// RBAC for delegating the use of SCC nonroot-v2 needed for OpenShift
+//+kubebuilder:rbac:groups="security.openshift.io",resources=securitycontextconstraints,resourceNames=nonroot-v2,verbs=use
+
 // RegisterWithManager registers the controller with Manager
 func RegisterWithManager(mgr ctrl.Manager, opts Options) error {
 	split := strings.Split(opts.InstanceSelector, "=")