feat: add security context to zarf-registry and zarf-injector in orde…

…r to comply with offical restricted PSS Signed-off-by: miaoxiang.wang <[email protected]>
zarf-dev · Oct 10, 2024 · bf8e7d3 · bf8e7d3
1 parent 9e5ab57
commit bf8e7d3
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 1 deletion.
diff --git a/packages/zarf-registry/chart/templates/deployment.yaml b/packages/zarf-registry/chart/templates/deployment.yaml
@@ -33,8 +33,11 @@ spec:
       {{- end }}
       priorityClassName: system-node-critical
       securityContext:
-        fsGroup: 1000
         runAsUser: 1000
+        fsGroup: 2000
+        runAsGroup: 2000
+        seccompProfile:
+          type: "RuntimeDefault"
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -53,6 +56,12 @@ spec:
             httpGet:
               path: /
               port: 5000
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop: ["ALL"]
           resources:
 {{ toYaml .Values.resources | indent 12 }}
           env:

diff --git a/src/pkg/cluster/injector.go b/src/pkg/cluster/injector.go
@@ -319,6 +319,9 @@ func hasBlockingTaints(taints []corev1.Taint) bool {
 
 func buildInjectionPod(nodeName, image string, payloadCmNames []string, shasum string, resReq corev1.ResourceRequirements) *corev1.Pod {
 	executeMode := int32(0777)
+	userID := int64(1000)
+	groupID := int64(2000)
+	fsGroupID := int64(2000)
 
 	pod := &corev1.Pod{
 		TypeMeta: metav1.TypeMeta{
@@ -337,6 +340,12 @@ func buildInjectionPod(nodeName, image string, payloadCmNames []string, shasum s
 			NodeName: nodeName,
 			// Do not try to restart the pod as it will be deleted/re-created instead.
 			RestartPolicy: corev1.RestartPolicyNever,
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsUser:      &userID,
+				RunAsGroup:     &groupID,
+				FSGroup:        &fsGroupID,
+				SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+			},
 			Containers: []corev1.Container{
 				{
 					Name:            "injector",
@@ -366,6 +375,14 @@ func buildInjectionPod(nodeName, image string, payloadCmNames []string, shasum s
 							},
 						},
 					},
+					SecurityContext: &corev1.SecurityContext{
+						ReadOnlyRootFilesystem:   helpers.BoolPtr(true),
+						AllowPrivilegeEscalation: helpers.BoolPtr(false),
+						RunAsNonRoot:             helpers.BoolPtr(true),
+						Capabilities: &corev1.Capabilities{
+							Drop: []corev1.Capability{"ALL"},
+						},
+					},
 					Resources: resReq,
 				},
 			},