From c04a2833e1281e8ee97a818fb4ebc3f3bebcef75 Mon Sep 17 00:00:00 2001 From: Allen Ray Date: Thu, 24 Jul 2025 10:48:57 -0400 Subject: [PATCH 01/10] Enabled readonlyRootFilesystem by default --- pkg/controller/bundle/bundle_unpacker.go | 3 +++ pkg/controller/bundle/bundle_unpacker_test.go | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/pkg/controller/bundle/bundle_unpacker.go b/pkg/controller/bundle/bundle_unpacker.go index 698119af6f..263e77c5b4 100644 --- a/pkg/controller/bundle/bundle_unpacker.go +++ b/pkg/controller/bundle/bundle_unpacker.go @@ -154,6 +154,7 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -180,6 +181,7 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -209,6 +211,7 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, diff --git a/pkg/controller/bundle/bundle_unpacker_test.go b/pkg/controller/bundle/bundle_unpacker_test.go index 312037bf2a..f9ec614d5c 100644 --- a/pkg/controller/bundle/bundle_unpacker_test.go +++ b/pkg/controller/bundle/bundle_unpacker_test.go @@ -308,6 +308,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -334,6 +335,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -363,6 +365,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -524,6 +527,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -550,6 +554,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -579,6 +584,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -780,6 +786,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -806,6 +813,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -835,6 +843,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -1031,6 +1040,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -1057,6 +1067,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -1086,6 +1097,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -1252,6 +1264,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -1278,6 +1291,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -1307,6 +1321,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -1486,6 +1501,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -1512,6 +1528,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, @@ -1541,6 +1558,7 @@ func TestConfigMapUnpacker(t *testing.T) { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: ptr.To(bool(false)), + ReadOnlyRootFilesystem: ptr.To(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, From cc6fe515a02db66af68db42d2c8716fab70c9c9a Mon Sep 17 00:00:00 2001 From: Allen Ray Date: Thu, 24 Jul 2025 11:10:23 -0400 Subject: [PATCH 02/10] Enable in reconciler as well --- pkg/controller/registry/reconciler/reconciler.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/controller/registry/reconciler/reconciler.go b/pkg/controller/registry/reconciler/reconciler.go index c0ac7d9283..d806493418 100644 --- a/pkg/controller/registry/reconciler/reconciler.go +++ b/pkg/controller/registry/reconciler/reconciler.go @@ -191,7 +191,7 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name, opmImg, utilImage, img s }, }, SecurityContext: &corev1.SecurityContext{ - ReadOnlyRootFilesystem: ptr.To(false), + ReadOnlyRootFilesystem: ptr.To(true), }, ImagePullPolicy: image.InferImagePullPolicy(img), TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError, @@ -361,6 +361,7 @@ func addSecurityContext(pod *corev1.Pod, runAsUser int64) { pod.Spec.InitContainers[i].SecurityContext = &corev1.SecurityContext{} } pod.Spec.InitContainers[i].SecurityContext.AllowPrivilegeEscalation = ptr.To(false) + pod.Spec.InitContainers[i].SecurityContext.ReadOnlyRootFilesystem = ptr.To(true) pod.Spec.InitContainers[i].SecurityContext.Capabilities = &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, } @@ -370,6 +371,7 @@ func addSecurityContext(pod *corev1.Pod, runAsUser int64) { pod.Spec.Containers[i].SecurityContext = &corev1.SecurityContext{} } pod.Spec.Containers[i].SecurityContext.AllowPrivilegeEscalation = ptr.To(false) + pod.Spec.InitContainers[i].SecurityContext.ReadOnlyRootFilesystem = ptr.To(true) pod.Spec.Containers[i].SecurityContext.Capabilities = &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, } From b6a86434a18a173a40863116e60f1f746bb613ed Mon Sep 17 00:00:00 2001 From: Allen Ray Date: Wed, 30 Jul 2025 13:39:27 -0400 Subject: [PATCH 03/10] Enable in chart templates --- .../templates/0000_50_olm_07-olm-operator.deployment.yaml | 5 +++++ .../0000_50_olm_08-catalog-operator.deployment.yaml | 5 +++++ deploy/chart/templates/_packageserver.deployment-spec.yaml | 1 + 3 files changed, 11 insertions(+) diff --git a/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml b/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml index f2c7bd8ab2..4b2417b65d 100644 --- a/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml +++ b/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml @@ -35,10 +35,13 @@ spec: secret: secretName: {{ .Values.olm.clientCASecret }} {{- end }} + - name: tmpfs + emptyDir: {} containers: - name: olm-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: [ "ALL" ] {{- if or .Values.olm.tlsSecret .Values.olm.clientCASecret }} @@ -54,6 +57,8 @@ spec: mountPath: "/profile-collector-cert" readOnly: true {{- end }} + - name: tmpfs + mountPath: /tmp command: - /bin/olm args: diff --git a/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml b/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml index eea8046cea..4d0632d85c 100644 --- a/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml +++ b/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml @@ -35,10 +35,13 @@ spec: secret: secretName: {{ .Values.catalog.clientCASecret }} {{- end }} + - name: tmpfs + emptyDir: {} containers: - name: catalog-operator securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: [ "ALL" ] {{- if or .Values.catalog.tlsSecret .Values.catalog.clientCASecret }} @@ -54,6 +57,8 @@ spec: mountPath: "/profile-collector-cert" readOnly: true {{- end }} + - name: tmpfs + mountPath: /tmp command: - /bin/catalog args: diff --git a/deploy/chart/templates/_packageserver.deployment-spec.yaml b/deploy/chart/templates/_packageserver.deployment-spec.yaml index ebf710787c..d3c791df4a 100644 --- a/deploy/chart/templates/_packageserver.deployment-spec.yaml +++ b/deploy/chart/templates/_packageserver.deployment-spec.yaml @@ -31,6 +31,7 @@ spec: - name: packageserver securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: [ "ALL" ] command: From 0dc6645094c35223406c78019a4149ec1a631715 Mon Sep 17 00:00:00 2001 From: Allen Ray Date: Mon, 4 Aug 2025 14:30:51 -0400 Subject: [PATCH 04/10] Fix typo --- pkg/controller/registry/reconciler/reconciler.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/controller/registry/reconciler/reconciler.go b/pkg/controller/registry/reconciler/reconciler.go index d806493418..070e887149 100644 --- a/pkg/controller/registry/reconciler/reconciler.go +++ b/pkg/controller/registry/reconciler/reconciler.go @@ -371,7 +371,7 @@ func addSecurityContext(pod *corev1.Pod, runAsUser int64) { pod.Spec.Containers[i].SecurityContext = &corev1.SecurityContext{} } pod.Spec.Containers[i].SecurityContext.AllowPrivilegeEscalation = ptr.To(false) - pod.Spec.InitContainers[i].SecurityContext.ReadOnlyRootFilesystem = ptr.To(true) + pod.Spec.Containers[i].SecurityContext.ReadOnlyRootFilesystem = ptr.To(true) pod.Spec.Containers[i].SecurityContext.Capabilities = &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, } From a23e1f437586fded45b78663b071f84c63a51539 Mon Sep 17 00:00:00 2001 From: Allen Ray Date: Tue, 5 Aug 2025 10:20:34 -0400 Subject: [PATCH 05/10] Ensure volumes and volumeMount objects exists --- .../templates/0000_50_olm_07-olm-operator.deployment.yaml | 4 ---- .../templates/0000_50_olm_08-catalog-operator.deployment.yaml | 4 ---- 2 files changed, 8 deletions(-) diff --git a/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml b/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml index 4b2417b65d..139f295195 100644 --- a/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml +++ b/deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml @@ -22,9 +22,7 @@ spec: seccompProfile: type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount - {{- if or .Values.olm.tlsSecret .Values.olm.clientCASecret }} volumes: - {{- end }} {{- if .Values.olm.tlsSecret }} - name: srv-cert secret: @@ -44,9 +42,7 @@ spec: readOnlyRootFilesystem: true capabilities: drop: [ "ALL" ] - {{- if or .Values.olm.tlsSecret .Values.olm.clientCASecret }} volumeMounts: - {{- end }} {{- if .Values.olm.tlsSecret }} - name: srv-cert mountPath: "/srv-cert" diff --git a/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml b/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml index 4d0632d85c..7b27706a74 100644 --- a/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml +++ b/deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml @@ -22,9 +22,7 @@ spec: seccompProfile: type: RuntimeDefault serviceAccountName: olm-operator-serviceaccount - {{- if or .Values.catalog.tlsSecret .Values.catalog.clientCASecret }} volumes: - {{- end }} {{- if .Values.catalog.tlsSecret }} - name: srv-cert secret: @@ -44,9 +42,7 @@ spec: readOnlyRootFilesystem: true capabilities: drop: [ "ALL" ] - {{- if or .Values.catalog.tlsSecret .Values.catalog.clientCASecret }} volumeMounts: - {{- end }} {{- if .Values.catalog.tlsSecret }} - name: srv-cert mountPath: "/srv-cert" From a70ccda9d9641535a1ae70de55b99974beb124e5 Mon Sep 17 00:00:00 2001 From: Allen Ray Date: Tue, 5 Aug 2025 10:21:17 -0400 Subject: [PATCH 06/10] Fixing default rorfs for legacy mode and fix tests --- pkg/controller/registry/reconciler/reconciler.go | 2 +- pkg/controller/registry/reconciler/reconciler_test.go | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/controller/registry/reconciler/reconciler.go b/pkg/controller/registry/reconciler/reconciler.go index 070e887149..a9c957163e 100644 --- a/pkg/controller/registry/reconciler/reconciler.go +++ b/pkg/controller/registry/reconciler/reconciler.go @@ -191,7 +191,7 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name, opmImg, utilImage, img s }, }, SecurityContext: &corev1.SecurityContext{ - ReadOnlyRootFilesystem: ptr.To(true), + ReadOnlyRootFilesystem: ptr.To(false), }, ImagePullPolicy: image.InferImagePullPolicy(img), TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError, diff --git a/pkg/controller/registry/reconciler/reconciler_test.go b/pkg/controller/registry/reconciler/reconciler_test.go index 9b8eed6443..376ce57692 100644 --- a/pkg/controller/registry/reconciler/reconciler_test.go +++ b/pkg/controller/registry/reconciler/reconciler_test.go @@ -1017,7 +1017,7 @@ func TestPodContainerSecurityContext(t *testing.T) { Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, - ReadOnlyRootFilesystem: ptr.To(false), // Reflecting expected 'restricted' settings + ReadOnlyRootFilesystem: ptr.To(true), // Reflecting expected 'restricted' settings }, expectedSecurityContext: &corev1.PodSecurityContext{ SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}, @@ -1052,7 +1052,7 @@ func TestPodContainerSecurityContext(t *testing.T) { Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, - ReadOnlyRootFilesystem: ptr.To(false), + ReadOnlyRootFilesystem: ptr.To(true), }, expectedSecurityContext: &corev1.PodSecurityContext{ SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}, @@ -1107,7 +1107,7 @@ func TestPodContainerSecurityContext(t *testing.T) { }, namespacePodSecurityConfig: v1alpha1.Legacy, // set to the opposite of the config to catch possible errors expectedContainerSecurityContext: &corev1.SecurityContext{ - ReadOnlyRootFilesystem: ptr.To(false), + ReadOnlyRootFilesystem: ptr.To(true), AllowPrivilegeEscalation: ptr.To(false), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, From e2dd97bad70f0bc24806385998611c263c75e1b7 Mon Sep 17 00:00:00 2001 From: Allen Ray Date: Thu, 7 Aug 2025 09:51:33 -0400 Subject: [PATCH 07/10] Only enable rorfs when running as non-root user --- .../registry/reconciler/reconciler.go | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/pkg/controller/registry/reconciler/reconciler.go b/pkg/controller/registry/reconciler/reconciler.go index a9c957163e..181cbecae9 100644 --- a/pkg/controller/registry/reconciler/reconciler.go +++ b/pkg/controller/registry/reconciler/reconciler.go @@ -356,12 +356,22 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name, opmImg, utilImage, img s } func addSecurityContext(pod *corev1.Pod, runAsUser int64) { + pod.Spec.SecurityContext = &corev1.PodSecurityContext{ + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + } + if runAsUser > 0 { + pod.Spec.SecurityContext.RunAsUser = &runAsUser + pod.Spec.SecurityContext.RunAsNonRoot = ptr.To(true) + } + for i := range pod.Spec.InitContainers { if pod.Spec.InitContainers[i].SecurityContext == nil { pod.Spec.InitContainers[i].SecurityContext = &corev1.SecurityContext{} } pod.Spec.InitContainers[i].SecurityContext.AllowPrivilegeEscalation = ptr.To(false) - pod.Spec.InitContainers[i].SecurityContext.ReadOnlyRootFilesystem = ptr.To(true) + pod.Spec.InitContainers[i].SecurityContext.ReadOnlyRootFilesystem = pod.Spec.SecurityContext.RunAsNonRoot pod.Spec.InitContainers[i].SecurityContext.Capabilities = &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, } @@ -371,21 +381,11 @@ func addSecurityContext(pod *corev1.Pod, runAsUser int64) { pod.Spec.Containers[i].SecurityContext = &corev1.SecurityContext{} } pod.Spec.Containers[i].SecurityContext.AllowPrivilegeEscalation = ptr.To(false) - pod.Spec.Containers[i].SecurityContext.ReadOnlyRootFilesystem = ptr.To(true) + pod.Spec.Containers[i].SecurityContext.ReadOnlyRootFilesystem = pod.Spec.SecurityContext.RunAsNonRoot pod.Spec.Containers[i].SecurityContext.Capabilities = &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, } } - - pod.Spec.SecurityContext = &corev1.PodSecurityContext{ - SeccompProfile: &corev1.SeccompProfile{ - Type: corev1.SeccompProfileTypeRuntimeDefault, - }, - } - if runAsUser > 0 { - pod.Spec.SecurityContext.RunAsUser = &runAsUser - pod.Spec.SecurityContext.RunAsNonRoot = ptr.To(true) - } } // getDefaultPodContextConfig returns Restricted if the defaultNamespace has the 'pod-security.kubernetes.io/enforce' label set to 'restricted', From 660e0bbcca4bbc163c16d0d34d80ed3645f12944 Mon Sep 17 00:00:00 2001 From: Allen Ray Date: Fri, 8 Aug 2025 13:55:09 -0400 Subject: [PATCH 08/10] Update tests --- .../operators/catalog/operator_test.go | 2 +- .../registry/reconciler/reconciler_test.go | 16 ++++++++++------ 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/pkg/controller/operators/catalog/operator_test.go b/pkg/controller/operators/catalog/operator_test.go index 00a6e48d9a..5d17ec8b73 100644 --- a/pkg/controller/operators/catalog/operator_test.go +++ b/pkg/controller/operators/catalog/operator_test.go @@ -863,7 +863,7 @@ func TestSyncCatalogSourcesSecurityPolicy(t *testing.T) { RunAsUser: ptr.To(int64(1001)), }, pod.Spec.SecurityContext) require.Equal(t, &corev1.SecurityContext{ - ReadOnlyRootFilesystem: ptr.To(false), + ReadOnlyRootFilesystem: ptr.To(true), AllowPrivilegeEscalation: ptr.To(false), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, diff --git a/pkg/controller/registry/reconciler/reconciler_test.go b/pkg/controller/registry/reconciler/reconciler_test.go index 376ce57692..61adddf891 100644 --- a/pkg/controller/registry/reconciler/reconciler_test.go +++ b/pkg/controller/registry/reconciler/reconciler_test.go @@ -506,7 +506,7 @@ func TestPodExtractContent(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ GenerateName: "test-", Namespace: "testns", - Labels: map[string]string{"olm.pod-spec-hash": "3sDLk8MMNptrqUfdnruY2gUi1g8O4wpMWC6Q52", "olm.managed": "true"}, + Labels: map[string]string{"olm.pod-spec-hash": "2ZOz2dIc08OnA6K8YLykbH5TuFNbwrpktFugq3", "olm.managed": "true"}, Annotations: map[string]string{"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"}, }, Spec: corev1.PodSpec{ @@ -553,7 +553,7 @@ func TestPodExtractContent(t *testing.T) { SecurityContext: &corev1.SecurityContext{ Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}}, AllowPrivilegeEscalation: ptr.To(false), - ReadOnlyRootFilesystem: ptr.To(false), + ReadOnlyRootFilesystem: ptr.To(true), }, TerminationMessagePolicy: "FallbackToLogsOnError", }, @@ -589,7 +589,7 @@ func TestPodExtractContent(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ GenerateName: "test-", Namespace: "testns", - Labels: map[string]string{"olm.pod-spec-hash": "1X4YqbfXuc9SB9ztW03WNOyanr9aIhKfijeBHH", "olm.managed": "true"}, + Labels: map[string]string{"olm.pod-spec-hash": "aeGb70iG9mui6QaqbaM6RAJG5fNVrXUjiEzEb7", "olm.managed": "true"}, Annotations: map[string]string{"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"}, }, Spec: corev1.PodSpec{ @@ -612,6 +612,7 @@ func TestPodExtractContent(t *testing.T) { SecurityContext: &corev1.SecurityContext{ Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}}, AllowPrivilegeEscalation: ptr.To(false), + ReadOnlyRootFilesystem: ptr.To(true), }, VolumeMounts: []corev1.VolumeMount{{Name: "utilities", MountPath: "/utilities"}}, TerminationMessagePolicy: "FallbackToLogsOnError", @@ -630,6 +631,7 @@ func TestPodExtractContent(t *testing.T) { SecurityContext: &corev1.SecurityContext{ Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}}, AllowPrivilegeEscalation: ptr.To(false), + ReadOnlyRootFilesystem: ptr.To(true), }, VolumeMounts: []corev1.VolumeMount{ {Name: "utilities", MountPath: "/utilities"}, @@ -683,7 +685,7 @@ func TestPodExtractContent(t *testing.T) { SecurityContext: &corev1.SecurityContext{ Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}}, AllowPrivilegeEscalation: ptr.To(false), - ReadOnlyRootFilesystem: ptr.To(false), + ReadOnlyRootFilesystem: ptr.To(true), }, TerminationMessagePolicy: "FallbackToLogsOnError", VolumeMounts: []corev1.VolumeMount{{Name: "catalog-content", MountPath: "/extracted-catalog"}}, @@ -719,7 +721,7 @@ func TestPodExtractContent(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ GenerateName: "test-", Namespace: "testns", - Labels: map[string]string{"olm.pod-spec-hash": "cO4moUo3vz6jZlcoBcxY4BB8o8a4E7m5GXCzI", "olm.managed": "true"}, + Labels: map[string]string{"olm.pod-spec-hash": "bhL1lOcUJhtisRddUp8tRQupbIii64C6qz9drn", "olm.managed": "true"}, Annotations: map[string]string{"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"}, }, Spec: corev1.PodSpec{ @@ -742,6 +744,7 @@ func TestPodExtractContent(t *testing.T) { SecurityContext: &corev1.SecurityContext{ Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}}, AllowPrivilegeEscalation: ptr.To(false), + ReadOnlyRootFilesystem: ptr.To(true), }, VolumeMounts: []corev1.VolumeMount{{Name: "utilities", MountPath: "/utilities"}}, TerminationMessagePolicy: "FallbackToLogsOnError", @@ -758,6 +761,7 @@ func TestPodExtractContent(t *testing.T) { SecurityContext: &corev1.SecurityContext{ Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}}, AllowPrivilegeEscalation: ptr.To(false), + ReadOnlyRootFilesystem: ptr.To(true), }, VolumeMounts: []corev1.VolumeMount{ {Name: "utilities", MountPath: "/utilities"}, @@ -811,7 +815,7 @@ func TestPodExtractContent(t *testing.T) { SecurityContext: &corev1.SecurityContext{ Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}}, AllowPrivilegeEscalation: ptr.To(false), - ReadOnlyRootFilesystem: ptr.To(false), + ReadOnlyRootFilesystem: ptr.To(true), }, TerminationMessagePolicy: "FallbackToLogsOnError", VolumeMounts: []corev1.VolumeMount{{Name: "catalog-content", MountPath: "/extracted-catalog"}}, From bc09d7cbe4a04160b69c942adf7351d24d5b258e Mon Sep 17 00:00:00 2001 From: Allen Ray Date: Mon, 11 Aug 2025 16:52:50 -0400 Subject: [PATCH 09/10] Fix errors --- pkg/controller/registry/reconciler/reconciler.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/pkg/controller/registry/reconciler/reconciler.go b/pkg/controller/registry/reconciler/reconciler.go index 181cbecae9..22ca1504d4 100644 --- a/pkg/controller/registry/reconciler/reconciler.go +++ b/pkg/controller/registry/reconciler/reconciler.go @@ -293,6 +293,9 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name, opmImg, utilImage, img s Args: []string{"/bin/copy-content", fmt.Sprintf("%s/copy-content", utilitiesPath)}, VolumeMounts: []corev1.VolumeMount{utilitiesVolumeMount}, TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError, + SecurityContext: &corev1.SecurityContext{ + ReadOnlyRootFilesystem: ptr.To(true), + }, }, corev1.Container{ Name: "extract-content", Image: img, @@ -301,8 +304,12 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name, opmImg, utilImage, img s Args: extractArgs, VolumeMounts: []corev1.VolumeMount{utilitiesVolumeMount, contentVolumeMount}, TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError, + SecurityContext: &corev1.SecurityContext{ + ReadOnlyRootFilesystem: ptr.To(true), + }, }) + pod.Spec.Containers[0].SecurityContext.ReadOnlyRootFilesystem = ptr.To(true) pod.Spec.Containers[0].Image = opmImg pod.Spec.Containers[0].Command = []string{"/bin/opm"} pod.Spec.Containers[0].ImagePullPolicy = image.InferImagePullPolicy(opmImg) @@ -371,7 +378,6 @@ func addSecurityContext(pod *corev1.Pod, runAsUser int64) { pod.Spec.InitContainers[i].SecurityContext = &corev1.SecurityContext{} } pod.Spec.InitContainers[i].SecurityContext.AllowPrivilegeEscalation = ptr.To(false) - pod.Spec.InitContainers[i].SecurityContext.ReadOnlyRootFilesystem = pod.Spec.SecurityContext.RunAsNonRoot pod.Spec.InitContainers[i].SecurityContext.Capabilities = &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, } @@ -381,7 +387,6 @@ func addSecurityContext(pod *corev1.Pod, runAsUser int64) { pod.Spec.Containers[i].SecurityContext = &corev1.SecurityContext{} } pod.Spec.Containers[i].SecurityContext.AllowPrivilegeEscalation = ptr.To(false) - pod.Spec.Containers[i].SecurityContext.ReadOnlyRootFilesystem = pod.Spec.SecurityContext.RunAsNonRoot pod.Spec.Containers[i].SecurityContext.Capabilities = &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, } From f21c4440f797400ddaf642cbe1e545a0e4c40bd7 Mon Sep 17 00:00:00 2001 From: Allen Ray Date: Tue, 12 Aug 2025 09:53:44 -0400 Subject: [PATCH 10/10] Update unit tests --- .../operators/catalog/operator_test.go | 2 +- .../registry/reconciler/reconciler_test.go | 30 +++++++++++++------ 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/pkg/controller/operators/catalog/operator_test.go b/pkg/controller/operators/catalog/operator_test.go index 5d17ec8b73..00a6e48d9a 100644 --- a/pkg/controller/operators/catalog/operator_test.go +++ b/pkg/controller/operators/catalog/operator_test.go @@ -863,7 +863,7 @@ func TestSyncCatalogSourcesSecurityPolicy(t *testing.T) { RunAsUser: ptr.To(int64(1001)), }, pod.Spec.SecurityContext) require.Equal(t, &corev1.SecurityContext{ - ReadOnlyRootFilesystem: ptr.To(true), + ReadOnlyRootFilesystem: ptr.To(false), AllowPrivilegeEscalation: ptr.To(false), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, diff --git a/pkg/controller/registry/reconciler/reconciler_test.go b/pkg/controller/registry/reconciler/reconciler_test.go index 61adddf891..6079b8cb6c 100644 --- a/pkg/controller/registry/reconciler/reconciler_test.go +++ b/pkg/controller/registry/reconciler/reconciler_test.go @@ -285,7 +285,7 @@ func TestPodExtractContent(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ GenerateName: "test-", Namespace: "testns", - Labels: map[string]string{"olm.pod-spec-hash": "5MSUJs07MqD3fl9supmPaRNxD9N6tK8Bjo4OFl", "olm.managed": "true"}, + Labels: map[string]string{"olm.pod-spec-hash": "r86WYqCuUPyC9whJJfiyFBVtwoKEghJ74gCQO", "olm.managed": "true"}, Annotations: map[string]string{"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"}, }, Spec: corev1.PodSpec{ @@ -307,6 +307,9 @@ func TestPodExtractContent(t *testing.T) { Args: []string{"/bin/copy-content", "/utilities/copy-content"}, VolumeMounts: []corev1.VolumeMount{{Name: "utilities", MountPath: "/utilities"}}, TerminationMessagePolicy: "FallbackToLogsOnError", + SecurityContext: &corev1.SecurityContext{ + ReadOnlyRootFilesystem: ptr.To(true), + }, }, { Name: "extract-content", @@ -324,6 +327,9 @@ func TestPodExtractContent(t *testing.T) { {Name: "catalog-content", MountPath: "/extracted-catalog"}, }, TerminationMessagePolicy: "FallbackToLogsOnError", + SecurityContext: &corev1.SecurityContext{ + ReadOnlyRootFilesystem: ptr.To(true), + }, }, }, Containers: []corev1.Container{ @@ -368,7 +374,7 @@ func TestPodExtractContent(t *testing.T) { }, }, SecurityContext: &corev1.SecurityContext{ - ReadOnlyRootFilesystem: ptr.To(false), + ReadOnlyRootFilesystem: ptr.To(true), }, ImagePullPolicy: image.InferImagePullPolicy("image"), TerminationMessagePolicy: "FallbackToLogsOnError", @@ -400,7 +406,7 @@ func TestPodExtractContent(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ GenerateName: "test-", Namespace: "testns", - Labels: map[string]string{"olm.pod-spec-hash": "b4ns9MTvaRBYOarmuFe6PLYK0r2kxj5Vo06WTU", "olm.managed": "true"}, + Labels: map[string]string{"olm.pod-spec-hash": "5ToGGS7RLuy9Fq91z7IjESOJXfurg09nHAxtfK", "olm.managed": "true"}, Annotations: map[string]string{"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"}, }, Spec: corev1.PodSpec{ @@ -422,6 +428,9 @@ func TestPodExtractContent(t *testing.T) { Args: []string{"/bin/copy-content", "/utilities/copy-content"}, VolumeMounts: []corev1.VolumeMount{{Name: "utilities", MountPath: "/utilities"}}, TerminationMessagePolicy: "FallbackToLogsOnError", + SecurityContext: &corev1.SecurityContext{ + ReadOnlyRootFilesystem: ptr.To(true), + }, }, { Name: "extract-content", @@ -437,6 +446,9 @@ func TestPodExtractContent(t *testing.T) { {Name: "catalog-content", MountPath: "/extracted-catalog"}, }, TerminationMessagePolicy: "FallbackToLogsOnError", + SecurityContext: &corev1.SecurityContext{ + ReadOnlyRootFilesystem: ptr.To(true), + }, }, }, Containers: []corev1.Container{ @@ -481,7 +493,7 @@ func TestPodExtractContent(t *testing.T) { }, }, SecurityContext: &corev1.SecurityContext{ - ReadOnlyRootFilesystem: ptr.To(false), + ReadOnlyRootFilesystem: ptr.To(true), }, ImagePullPolicy: image.InferImagePullPolicy("image"), TerminationMessagePolicy: "FallbackToLogsOnError", @@ -506,7 +518,7 @@ func TestPodExtractContent(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ GenerateName: "test-", Namespace: "testns", - Labels: map[string]string{"olm.pod-spec-hash": "2ZOz2dIc08OnA6K8YLykbH5TuFNbwrpktFugq3", "olm.managed": "true"}, + Labels: map[string]string{"olm.pod-spec-hash": "3sDLk8MMNptrqUfdnruY2gUi1g8O4wpMWC6Q52", "olm.managed": "true"}, Annotations: map[string]string{"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"}, }, Spec: corev1.PodSpec{ @@ -553,7 +565,7 @@ func TestPodExtractContent(t *testing.T) { SecurityContext: &corev1.SecurityContext{ Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}}, AllowPrivilegeEscalation: ptr.To(false), - ReadOnlyRootFilesystem: ptr.To(true), + ReadOnlyRootFilesystem: ptr.To(false), }, TerminationMessagePolicy: "FallbackToLogsOnError", }, @@ -1021,7 +1033,7 @@ func TestPodContainerSecurityContext(t *testing.T) { Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, - ReadOnlyRootFilesystem: ptr.To(true), // Reflecting expected 'restricted' settings + ReadOnlyRootFilesystem: ptr.To(false), // Reflecting expected 'restricted' settings }, expectedSecurityContext: &corev1.PodSecurityContext{ SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}, @@ -1056,7 +1068,7 @@ func TestPodContainerSecurityContext(t *testing.T) { Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, - ReadOnlyRootFilesystem: ptr.To(true), + ReadOnlyRootFilesystem: ptr.To(false), }, expectedSecurityContext: &corev1.PodSecurityContext{ SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}, @@ -1111,7 +1123,7 @@ func TestPodContainerSecurityContext(t *testing.T) { }, namespacePodSecurityConfig: v1alpha1.Legacy, // set to the opposite of the config to catch possible errors expectedContainerSecurityContext: &corev1.SecurityContext{ - ReadOnlyRootFilesystem: ptr.To(true), + ReadOnlyRootFilesystem: ptr.To(false), AllowPrivilegeEscalation: ptr.To(false), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"},