diff --git a/config/core/configmaps/features.yaml b/config/core/configmaps/features.yaml index a0f459d502ed..530d1d0a168f 100644 --- a/config/core/configmaps/features.yaml +++ b/config/core/configmaps/features.yaml @@ -22,7 +22,7 @@ metadata: app.kubernetes.io/component: controller app.kubernetes.io/version: devel annotations: - knative.dev/example-checksum: "b08d16b1" + knative.dev/example-checksum: "43e1a61b" data: _example: |- ################################ @@ -40,10 +40,10 @@ data: # this example block and unindented to be in the data block # to actually change the configuration. - # Default SecurityContext settings to secure-by-default values - # if unset. - # # Indicates whether secure-pod-defaults support is enabled + + # WARNING: Cannot safely be disabled once enabled. + # See: TBD secure-pod-defaults: "enabled" # Indicates whether multi container support is enabled diff --git a/pkg/apis/config/features.go b/pkg/apis/config/features.go index 32b7345a8c08..60e82bda8558 100644 --- a/pkg/apis/config/features.go +++ b/pkg/apis/config/features.go @@ -71,7 +71,7 @@ func defaultFeaturesConfig() *Features { PodSpecInitContainers: Disabled, PodSpecDNSPolicy: Disabled, PodSpecDNSConfig: Disabled, - SecurePodDefaults: Disabled, + SecurePodDefaults: Enabled, TagHeaderBasedRouting: Disabled, AutoDetectHTTP2: Disabled, } diff --git a/pkg/apis/serving/fieldmask_test.go b/pkg/apis/serving/fieldmask_test.go index 5e957bb92521..02cc4af0da2e 100644 --- a/pkg/apis/serving/fieldmask_test.go +++ b/pkg/apis/serving/fieldmask_test.go @@ -719,7 +719,11 @@ func TestPodSecurityContextMask(t *testing.T) { }, } - want := &corev1.PodSecurityContext{} + want := &corev1.PodSecurityContext{ + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + } ctx := context.Background() got := PodSecurityContextMask(ctx, in) diff --git a/pkg/apis/serving/v1/configuration_defaults_test.go b/pkg/apis/serving/v1/configuration_defaults_test.go index ae6e8d9058e3..6a8a96b91a7f 100644 --- a/pkg/apis/serving/v1/configuration_defaults_test.go +++ b/pkg/apis/serving/v1/configuration_defaults_test.go @@ -76,6 +76,24 @@ func TestConfigurationDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(config.DefaultRevisionTimeoutSeconds), @@ -111,6 +129,24 @@ func TestConfigurationDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(config.DefaultRevisionTimeoutSeconds), @@ -148,6 +184,24 @@ func TestConfigurationDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(60), diff --git a/pkg/apis/serving/v1/revision_defaults_test.go b/pkg/apis/serving/v1/revision_defaults_test.go index 332fecfb4d9d..e97e096901bb 100644 --- a/pkg/apis/serving/v1/revision_defaults_test.go +++ b/pkg/apis/serving/v1/revision_defaults_test.go @@ -91,6 +91,24 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, }, @@ -123,6 +141,24 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, }, @@ -158,6 +194,24 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, EnableServiceLinks: ptr.Bool(true), }, @@ -189,6 +243,24 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, EnableServiceLinks: ptr.Bool(true), }, @@ -220,6 +292,24 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, EnableServiceLinks: ptr.Bool(false), }, @@ -254,6 +344,24 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, EnableServiceLinks: ptr.Bool(false), }, @@ -289,6 +397,24 @@ func TestRevisionDefaulting(t *testing.T) { }}, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, ContainerConcurrency: ptr.Int64(1), @@ -322,6 +448,24 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, }, @@ -362,6 +506,24 @@ func TestRevisionDefaulting(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, }, @@ -399,6 +561,24 @@ func TestRevisionDefaulting(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, }, @@ -430,6 +610,24 @@ func TestRevisionDefaulting(t *testing.T) { SuccessThreshold: 1, TimeoutSeconds: 1, // Added as k8s default }, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, Resources: defaultResources, }}, }, @@ -452,6 +650,24 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, }, @@ -503,6 +719,24 @@ func TestRevisionDefaulting(t *testing.T) { }, }, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, }, @@ -532,12 +766,48 @@ func TestRevisionDefaulting(t *testing.T) { Name: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "helloworld", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, }, @@ -578,31 +848,175 @@ func TestRevisionDefaulting(t *testing.T) { Containers: []corev1.Container{{ Name: "user-container-1", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }, { Name: "user-container-0", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "user-container-3", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }, { Name: "user-container-2", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }, { Name: "user-container-5", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }, { Name: "user-container-6", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }, { Name: "user-container-7", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }, { Name: "user-container-4", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, }, @@ -661,17 +1075,89 @@ func TestRevisionDefaulting(t *testing.T) { Name: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "helloworld", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, InitContainers: []corev1.Container{{ Name: "init1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }, { Name: "init2", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, }, @@ -710,21 +1196,129 @@ func TestRevisionDefaulting(t *testing.T) { Name: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "helloworld", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, InitContainers: []corev1.Container{{ Name: "init1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }, { Name: "init2", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }, { Name: "init-container-0", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }, { Name: "init-container-1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, }, @@ -763,21 +1357,129 @@ func TestRevisionDefaulting(t *testing.T) { Name: "user-container-0", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "user-container-1", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, InitContainers: []corev1.Container{{ Name: "init1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }, { Name: "init2", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }, { Name: "init-container-0", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }, { Name: "init-container-1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, }, @@ -816,21 +1518,129 @@ func TestRevisionDefaulting(t *testing.T) { Name: "init-container-0", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "init-container-1", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, InitContainers: []corev1.Container{{ Name: "init1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }, { Name: "init2", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }, { Name: "init-container-2", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }, { Name: "init-container-3", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, }, diff --git a/pkg/apis/serving/v1/service_defaults_test.go b/pkg/apis/serving/v1/service_defaults_test.go index 01547042ac79..8dac7b27c908 100644 --- a/pkg/apis/serving/v1/service_defaults_test.go +++ b/pkg/apis/serving/v1/service_defaults_test.go @@ -87,6 +87,24 @@ func TestServiceDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(config.DefaultRevisionTimeoutSeconds), @@ -130,6 +148,24 @@ func TestServiceDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(config.DefaultRevisionTimeoutSeconds), @@ -176,6 +212,24 @@ func TestServiceDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, EnableServiceLinks: ptr.Bool(true), }, @@ -233,6 +287,24 @@ func TestServiceDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + Privileged: nil, + SELinuxOptions: nil, + RunAsUser: nil, + RunAsNonRoot: nil, + ReadOnlyRootFilesystem: nil, + AllowPrivilegeEscalation: ptr.Bool(false), + RunAsGroup: nil, + ProcMount: nil, + WindowsOptions: nil, + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(config.DefaultRevisionTimeoutSeconds), diff --git a/pkg/reconciler/revision/table_test.go b/pkg/reconciler/revision/table_test.go index 026854c90267..095e74fe61fd 100644 --- a/pkg/reconciler/revision/table_test.go +++ b/pkg/reconciler/revision/table_test.go @@ -655,7 +655,10 @@ func TestReconcile(t *testing.T) { withDefaultContainerStatuses(), withInitContainerStatuses(), WithRevisionObservedGeneration(1)), }}, Key: "foo/first-reconcile", - Ctx: defaultconfig.ToContext(context.Background(), &defaultconfig.Config{Features: &defaultconfig.Features{PodSpecInitContainers: defaultconfig.Enabled}}), + Ctx: defaultconfig.ToContext(context.Background(), &defaultconfig.Config{Features: &defaultconfig.Features{ + PodSpecInitContainers: defaultconfig.Enabled, + SecurePodDefaults: defaultconfig.Enabled, + }}), }, { Name: "first revision reconciliation with PVC, PVC enabled", // Test the simplest successful reconciliation flow. @@ -679,6 +682,7 @@ func TestReconcile(t *testing.T) { Ctx: defaultconfig.ToContext(context.Background(), &defaultconfig.Config{Features: &defaultconfig.Features{ PodSpecPersistentVolumeClaim: defaultconfig.Enabled, PodSpecPersistentVolumeWrite: defaultconfig.Enabled, + SecurePodDefaults: defaultconfig.Enabled, }}), }}