Disable unshare in the pod containers (#179)

Signed-off-by: asararatnakar <[email protected]>

Author: asararatnakar

bundle/manifests/fabric-opensource-operator.clusterserviceversion.yaml

@@ -1837,6 +1837,8 @@ spec:
                     ephemeral-storage: 100Mi
                     memory: 200Mi
                 securityContext:
+                  seccompProfile:
+                    type: RuntimeDefault
                   allowPrivilegeEscalation: false
                   capabilities:
                     add:

config/manager/manager.yaml

@@ -98,6 +98,8 @@ spec:
               memory: 200Mi
               ephemeral-storage: 100Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:

config/manifests/bases/fabric-opensource-operator.clusterserviceversion.yaml

@@ -1834,6 +1834,8 @@ spec:
                     ephemeral-storage: 100Mi
                     memory: 200Mi
                 securityContext:
+                  seccompProfile:
+                    type: RuntimeDefault
                   allowPrivilegeEscalation: false
                   capabilities:
                     add:

definitions/ca/deployment.yaml

@@ -74,6 +74,8 @@ spec:
               ephemeral-storage: 100M
               memory: 100Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:

definitions/console/deployment.yaml

@@ -62,6 +62,8 @@ spec:
               ephemeral-storage: 100M
               memory: 1000Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:
@@ -110,6 +112,8 @@ spec:
               ephemeral-storage: 100M
               memory: 200Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:
@@ -160,6 +164,8 @@ spec:
               ephemeral-storage: 100M
               memory: 50Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:

definitions/orderer/deployment.yaml

@@ -72,6 +72,8 @@ spec:
               ephemeral-storage: 100M
               memory: 100Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:
@@ -165,6 +167,8 @@ spec:
               ephemeral-storage: 100M
               memory: 100Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             capabilities:
               add:
                 - NET_BIND_SERVICE

definitions/peer/chaincode-launcher.yaml

@@ -18,6 +18,8 @@
 name: "chaincode-launcher"
 imagePullPolicy: Always
 securityContext:
+  seccompProfile:
+    type: RuntimeDefault
   privileged: false
   readOnlyRootFileSystem: false
   runAsGroup: 7051

definitions/peer/couchdb.yaml

@@ -19,6 +19,8 @@ name: "couchdb"
 image: ""
 imagePullPolicy: Always
 securityContext:
+  seccompProfile:
+    type: RuntimeDefault
   privileged: false
   readOnlyRootFileSystem: false
   runAsGroup: 5984

definitions/peer/deployment.yaml

@@ -59,6 +59,8 @@ spec:
               cpu: 500m
               memory: 1000M
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: true
             capabilities:
               add:
@@ -136,6 +138,8 @@ spec:
               cpu: 200m
               memory: 400M
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:
@@ -218,6 +222,8 @@ spec:
               cpu: 100m
               memory: 200M
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:

pkg/offering/base/ca/override/deployment.go

@@ -33,6 +33,7 @@ import (
 	"github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/deployment"
 	dep "github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/deployment"
 	"github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/serviceaccount"
+	"github.com/IBM-Blockchain/fabric-operator/pkg/offering/common"
 	"github.com/IBM-Blockchain/fabric-operator/pkg/util"
 
 	appsv1 "k8s.io/api/apps/v1"
@@ -182,6 +183,9 @@ func (o *Override) CommonDeployment(instance *current.IBPCA, deployment *dep.Dep
 		deployment.SetReplicas(instance.Spec.Replicas)
 	}
 
+	// set seccompProfile to RuntimeDefault
+	common.GetPodSecurityContext(caCont)
+
 	return nil
 }
 

pkg/offering/base/console/override/deployment.go

@@ -319,6 +319,11 @@ func (o *Override) CommonDeployment(instance *current.IBPConsole, deployment *de
 	}
 	init.SetCommand([]string{"sh", "-c", initCommand})
 
+	// set seccompProfile to RuntimeDefault
+	common.GetPodSecurityContext(console)
+	common.GetPodSecurityContext(deployer)
+	common.GetPodSecurityContext(configtxlator)
+
 	return nil
 }
 

pkg/offering/base/orderer/override/deployment.go

@@ -317,6 +317,10 @@ func (o *Override) CommonDeploymentOverrides(instance *current.IBPOrderer, deplo
 	deployment.UpdateContainer(grpcProxy)
 	deployment.UpdateInitContainer(initCont)
 
+	// set seccompProfile to RuntimeDefault
+	common.GetPodSecurityContext(orderer)
+	common.GetPodSecurityContext(grpcProxy)
+
 	return nil
 }
 

pkg/offering/base/peer/override/deployment.go

@@ -756,6 +756,11 @@ func (o *Override) CommonDeploymentOverrides(instance *current.IBPPeer, deployme
 
 	deployment.UpdateContainer(peerContainer)
 	deployment.UpdateContainer(grpcContainer)
+
+	// set seccompProfile to RuntimeDefault
+	common.GetPodSecurityContext(peerContainer)
+	common.GetPodSecurityContext(grpcContainer)
+
 	return nil
 }
 

pkg/offering/common/override.go

@@ -19,6 +19,7 @@
 package common
 
 import (
+	container "github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/container"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -106,3 +107,12 @@ func GetPodAntiAffinity(orgName string) *corev1.PodAntiAffinity {
 		},
 	}
 }
+
+func GetPodSecurityContext(con container.Container) {
+	secContext := con.SecurityContext
+	if secContext.SeccompProfile == nil {
+		secContext.SeccompProfile = &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		}
+	}
+}