Skip to content

Commit

Permalink
fix: set seccomp profiles and grant SAs necessary premissions to run
Browse files Browse the repository at this point in the history
When running in namespace with Pod Security Standard profile "restricted"
we need to set RunAsNonRoot and SeccompProfile to all workloads running
on that namespace. Futhermore on OpenShift to run with a SeccompProfile
set we need to grant service accounts premisisons to use the SCC
nonroot-v2 #149
  • Loading branch information
JoaoBraveCoding committed Jun 2, 2022
1 parent 390a4aa commit 6707633
Show file tree
Hide file tree
Showing 6 changed files with 83 additions and 1 deletion.
21 changes: 21 additions & 0 deletions deploy/dependencies/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,10 @@ patches:
cpu: 5m
memory: 150Mi
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- patch: |-
- op: remove
path: /spec/template/spec/nodeSelector
Expand All @@ -48,3 +52,20 @@ patches:
version: v1
kind: Deployment
- patch: |-
- op: add
path: /rules/-
value:
apiGroups:
- security.openshift.io
resourceNames:
- nonroot-v2
resources:
- securitycontextconstraints
verbs:
- use
target:
group: rbac.authorization.k8s.io
version: v1
kind: ClusterRole
name: prometheus-operator
8 changes: 8 additions & 0 deletions deploy/operator/observability-operator-cluster-role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -158,3 +158,11 @@ rules:
- patch
- update
- watch
- apiGroups:
- security.openshift.io
resourceNames:
- nonroot-v2
resources:
- securitycontextconstraints
verbs:
- use
5 changes: 5 additions & 0 deletions deploy/operator/observability-operator-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ spec:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: operator
image: observability-operator:0.0.1
Expand All @@ -35,6 +37,9 @@ spec:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
limits:
cpu: 200m
Expand Down
27 changes: 27 additions & 0 deletions pkg/controllers/monitoring/monitoring-stack/alertmanager.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package monitoringstack
import (
stack "github.com/rhobs/observability-operator/pkg/apis/monitoring/v1alpha1"
policyv1 "k8s.io/api/policy/v1"
rbacv1 "k8s.io/api/rbac/v1"

corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/util/intstr"
Expand Down Expand Up @@ -65,6 +66,11 @@ func newAlertmanager(
},
},
},
SecurityContext: &corev1.PodSecurityContext{
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
},
}
}
Expand Down Expand Up @@ -119,3 +125,24 @@ func newAlertmanagerPDB(ms *stack.MonitoringStack, instanceSelectorKey string, i
},
}
}

func newAlertManagerRole(ms *stack.MonitoringStack, rbacResourceName string, rbacVerbs []string) *rbacv1.Role {
return &rbacv1.Role{
TypeMeta: metav1.TypeMeta{
APIVersion: rbacv1.SchemeGroupVersion.String(),
Kind: "Role",
},
ObjectMeta: metav1.ObjectMeta{
Name: rbacResourceName,
Namespace: ms.Namespace,
},
Rules: []rbacv1.PolicyRule{
{
APIGroups: []string{"security.openshift.io"},
Resources: []string{"securitycontextconstraints"},
ResourceNames: []string{"nonroot-v2"},
Verbs: []string{"use"},
},
},
}
}
20 changes: 19 additions & 1 deletion pkg/controllers/monitoring/monitoring-stack/components.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
stack "github.com/rhobs/observability-operator/pkg/apis/monitoring/v1alpha1"

"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/utils/pointer"

monv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
policyv1 "k8s.io/api/policy/v1"
Expand All @@ -20,6 +21,7 @@ import (
)

const AdditionalScrapeConfigsSelfScrapeKey = "self-scrape-config"
const PrometheusUserFSGroupID = 65534

type reconcileFunction func(ctx context.Context, c client.Client, scheme *runtime.Scheme) error

Expand Down Expand Up @@ -49,6 +51,8 @@ func stackComponentReconcilers(ms *stack.MonitoringStack, instanceSelectorKey st
defaultReconciler(newRoleBinding(ms, prometheusRBACResourceName), ms),
defaultReconciler(newAdditionalScrapeConfigsSecret(ms, additionalScrapeConfigsSecretName), ms),
defaultReconciler(newServiceAccount(alertmanagerRBACResourceName, ms.Namespace), ms),
defaultReconciler(newAlertManagerRole(ms, alertmanagerRBACResourceName, rbacVerbs), ms),
defaultReconciler(newRoleBinding(ms, alertmanagerRBACResourceName), ms),
defaultReconciler(newAlertmanager(ms, alertmanagerRBACResourceName, instanceSelectorKey, instanceSelectorValue), ms),
defaultReconciler(newAlertmanagerService(ms, instanceSelectorKey, instanceSelectorValue), ms),
defaultReconciler(newAlertmanagerPDB(ms, instanceSelectorKey, instanceSelectorValue), ms),
Expand Down Expand Up @@ -80,6 +84,12 @@ func newPrometheusRole(ms *stack.MonitoringStack, rbacResourceName string, rbacV
Resources: []string{"ingresses"},
Verbs: rbacVerbs,
},
{
APIGroups: []string{"security.openshift.io"},
Resources: []string{"securitycontextconstraints"},
ResourceNames: []string{"nonroot-v2"},
Verbs: []string{"use"},
},
},
}
}
Expand Down Expand Up @@ -163,7 +173,15 @@ func newPrometheus(
},
Key: AdditionalScrapeConfigsSelfScrapeKey,
},
Storage: storageForPVC(config.PersistentVolumeClaim),
Storage: storageForPVC(config.PersistentVolumeClaim),
SecurityContext: &corev1.PodSecurityContext{
FSGroup: pointer.Int64(PrometheusUserFSGroupID),
RunAsNonRoot: pointer.Bool(true),
RunAsUser: pointer.Int64(PrometheusUserFSGroupID),
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
RemoteWrite: config.RemoteWrite,
ExternalLabels: config.ExternalLabels,
},
Expand Down
3 changes: 3 additions & 0 deletions pkg/controllers/monitoring/monitoring-stack/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,9 @@ type Options struct {
//+kubebuilder:rbac:groups="",resources=pods;services;endpoints,verbs=get;list;watch
//+kubebuilder:rbac:groups=extensions;networking.k8s.io,resources=ingresses,verbs=get;list;watch

// RBAC for delegating the use of SCC nonroot-v2 needed for OpenShift
//+kubebuilder:rbac:groups="security.openshift.io",resources=securitycontextconstraints,resourceNames=nonroot-v2,verbs=use

// RegisterWithManager registers the controller with Manager
func RegisterWithManager(mgr ctrl.Manager, opts Options) error {
split := strings.Split(opts.InstanceSelector, "=")
Expand Down

0 comments on commit 6707633

Please sign in to comment.