From 0e821f230ba6dbd92b82e305b1effd644b88ee72 Mon Sep 17 00:00:00 2001
From: Sebastian Sch <sebassch@gmail.com>
Date: Mon, 11 Mar 2024 15:50:18 +0200
Subject: [PATCH 1/2] small security improvements

* add runAsNonRoot=true
* add readOnlyRootFilesystem=true
* add allowPrivilegeEscalation=false

for operator network injector and operator webhook

Signed-off-by: Sebastian Sch <sebassch@gmail.com>
---
 bindata/manifests/operator-webhook/server.yaml | 5 +++++
 bindata/manifests/webhook/server.yaml          | 7 +++++++
 config/manager/manager.yaml                    | 1 +
 3 files changed, 13 insertions(+)

diff --git a/bindata/manifests/operator-webhook/server.yaml b/bindata/manifests/operator-webhook/server.yaml
index 41cfe6917..188a7f182 100644
--- a/bindata/manifests/operator-webhook/server.yaml
+++ b/bindata/manifests/operator-webhook/server.yaml
@@ -23,6 +23,8 @@ spec:
       labels:
         app: operator-webhook
     spec:
+      securityContext:
+        runAsNonRoot: true
       serviceAccountName: operator-webhook-sa
       priorityClassName: "system-cluster-critical"
       nodeSelector:
@@ -76,6 +78,9 @@ spec:
               fieldPath: metadata.namespace
         - name: DEV_MODE
           value: "{{.DevMode}}"
+        securityContext:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
         resources:
           requests:
             cpu: 10m
diff --git a/bindata/manifests/webhook/server.yaml b/bindata/manifests/webhook/server.yaml
index bf5739ac7..659f71b7e 100644
--- a/bindata/manifests/webhook/server.yaml
+++ b/bindata/manifests/webhook/server.yaml
@@ -26,6 +26,8 @@ spec:
         type: infra
         openshift.io/component: network
     spec:
+      securityContext:
+        runAsNonRoot: true
       serviceAccountName: network-resources-injector-sa
       priorityClassName: "system-cluster-critical"
       nodeSelector:
@@ -71,11 +73,16 @@ spec:
         - -tls-private-key-file=/etc/tls/tls.key
         - -tls-cert-file=/etc/tls/tls.crt
         - -insecure=true
+        - -logtostderr=true
+        - -alsologtostderr=true
         env:
         - name: NAMESPACE
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        securityContext:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
         resources:
           requests:
             cpu: 10m
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index 79adfe72a..586fa3f17 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -33,6 +33,7 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
         livenessProbe:
           httpGet:
             path: /healthz

From bd6940919becae16367adc67b1ff9162577f2948 Mon Sep 17 00:00:00 2001
From: Sebastian Sch <sebassch@gmail.com>
Date: Wed, 13 Mar 2024 14:24:44 +0200
Subject: [PATCH 2/2] change operator webhook image to non root user

Signed-off-by: Sebastian Sch <sebassch@gmail.com>
---
 Dockerfile.webhook | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile.webhook b/Dockerfile.webhook
index 2ea2c006d..7aa026e73 100644
--- a/Dockerfile.webhook
+++ b/Dockerfile.webhook
@@ -6,5 +6,6 @@ RUN make _build-webhook BIN_PATH=build/_output/cmd
 FROM quay.io/centos/centos:stream9
 LABEL io.k8s.display-name="sriov-network-webhook" \
       io.k8s.description="This is an admission controller webhook that mutates and validates customer resources of sriov network operator."
+USER 1001
 COPY --from=builder /go/src/github.com/k8snetworkplumbingwg/sriov-network-operator/build/_output/cmd/webhook /usr/bin/webhook
 CMD ["/usr/bin/webhook"]