fix: specify nonroot uid for manager

See kubernetes-sigs/kubebuilder#1635 for more info Signed-off-by: He Weiwei <[email protected]>
heww · Feb 3, 2021 · 37a23bd · 37a23bd
1 parent 7190f2f
commit 37a23bd
Show file tree

Hide file tree

Showing 7 changed files with 513 additions and 122 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -3,6 +3,6 @@
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY manager .
-USER nonroot:nonroot
+USER 65532:65532
 
 ENTRYPOINT ["/manager"]
diff --git a/charts/harbor-operator/README.md b/charts/harbor-operator/README.md
@@ -11,6 +11,7 @@ Deploy Harbor Operator
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Expects input structure as per specification <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#affinity-v1-core> For example: `{   "nodeAffinity": {     "requiredDuringSchedulingIgnoredDuringExecution": {       "nodeSelectorTerms": [         {           "matchExpressions": [             {               "key": "foo.bar.com/role",               "operator": "In",               "values": [                 "master"               ]             }           ]         }       ]     }   } }` |
+| allowPrivilegeEscalation | bool | `false` | Allow privilege escalation for the controller Pods |
 | autoscaling.enabled | bool | `false` | Whether to enabled [Horizontal Pod Autoscaling](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) |
 | autoscaling.maxReplicas | int | `100` | Maximum conroller replicas |
 | autoscaling.minReplicas | int | `1` | Minimum conroller replicas |
@@ -30,7 +31,7 @@ Deploy Harbor Operator
 | nodeSelector | object | `{}` | Expects input structure as per specification <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#nodeselector-v1-core> For example: `[   {     "matchExpressions": [       {         "key": "kubernetes.io/e2e-az-name",         "operator": "In",         "values": [           "e2e-az1",           "e2e-az2"         ]       }     ]   } ]` |
 | podAnnotations | object | `{}` | Additional annotations to add to the controller Pods |
 | podLabels | object | `{}` | Additional labels to add to the controller Pods |
-| podSecurityContext | object | `{}` | Expects input structure as per specification <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#podsecuritycontext-v1-core> For example: `{   "fsGroup": 2000,   "runAsUser": 1000,   "runAsNonRoot": true }` |
+| podSecurityContext | object | `{"runAsNonRoot":true,"runAsUser":65532}` | Expects input structure as per specification <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#podsecuritycontext-v1-core> For example: `{   "fsGroup": 2000,   "runAsUser": 1000,   "runAsNonRoot": true }` |
 | priorityClassName | string | `""` | priority class to be used for the harbor-operator pods |
 | rbac.create | bool | `true` | Whether to install Role Based Access Control |
 | replicaCount | int | `1` | Number of replicas for the controller |

diff --git a/charts/harbor-operator/templates/deployment.yaml b/charts/harbor-operator/templates/deployment.yaml
@@ -53,6 +53,8 @@ spec:
             path: /readyz
             port: ready
         resources: {{- toYaml .Values.resources | nindent 10 }}
+        securityContext:
+          allowPrivilegeEscalation: {{ .Values.allowPrivilegeEscalation }}
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: cert

diff --git a/charts/harbor-operator/values.yaml b/charts/harbor-operator/values.yaml
@@ -110,7 +110,12 @@ podLabels: {}
 #   "runAsUser": 1000,
 #   "runAsNonRoot": true
 # }`
-podSecurityContext: {}
+podSecurityContext:
+  runAsUser: 65532
+  runAsNonRoot: true
+
+# allowPrivilegeEscalation -- Allow privilege escalation for the controller Pods
+allowPrivilegeEscalation: false
 
 # <https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#servicespec-v1-core>
 service:

diff --git a/config/helm/deployment/patch_deployment_security.yaml b/config/helm/deployment/patch_deployment_security.yaml
@@ -22,3 +22,6 @@
  - op: replace
    path: /spec/template/spec/containers/0/imagePullPolicy
    value: '{{ .Values.image.pullPolicy | quote }}'
+ - op: replace
+   path: /spec/template/spec/containers/0/securityContext/allowPrivilegeEscalation
+   value: '{{ .Values.allowPrivilegeEscalation }}'
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -13,13 +13,17 @@ spec:
       labels:
         control-plane: harbor-operator
     spec:
+      securityContext:
+        runAsUser: 65532
       containers:
       - command:
         - /manager
         args:
         - --enable-leader-election
         image: goharbor/harbor-operator:dev
         name: manager
+        securityContext:
+          allowPrivilegeEscalation: false
         resources:
           limits:
             cpu: 500m