Disable unshare in the pod containers (#179)

asararatnakar · Shoaeb Jindani · commit f612cb21e01c · 2024-03-21T11:41:38.000+05:30
Signed-off-by: asararatnakar &lt;asara.ratnakar@gmail.com&gt;
Signed-off-by: Shoaeb Jindani &lt;jindani.shoaeb@ibm.com&gt;
diff --git a/bundle/manifests/fabric-opensource-operator.clusterserviceversion.yaml b/bundle/manifests/fabric-opensource-operator.clusterserviceversion.yaml
@@ -1816,6 +1816,8 @@ spec:
                     ephemeral-storage: 100Mi
                     memory: 200Mi
                 securityContext:
+                  seccompProfile:
+                    type: RuntimeDefault
                   allowPrivilegeEscalation: false
                   capabilities:
                     add:
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -98,6 +98,8 @@ spec:
               memory: 200Mi
               ephemeral-storage: 100Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:
diff --git a/config/manifests/bases/fabric-opensource-operator.clusterserviceversion.yaml b/config/manifests/bases/fabric-opensource-operator.clusterserviceversion.yaml
@@ -1813,6 +1813,8 @@ spec:
                     ephemeral-storage: 100Mi
                     memory: 200Mi
                 securityContext:
+                  seccompProfile:
+                    type: RuntimeDefault
                   allowPrivilegeEscalation: false
                   capabilities:
                     add:
diff --git a/definitions/ca/deployment.yaml b/definitions/ca/deployment.yaml
@@ -74,6 +74,8 @@ spec:
               ephemeral-storage: 100M
               memory: 100Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:
diff --git a/definitions/console/deployment.yaml b/definitions/console/deployment.yaml
@@ -62,6 +62,8 @@ spec:
               ephemeral-storage: 100M
               memory: 1000Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:
@@ -110,6 +112,8 @@ spec:
               ephemeral-storage: 100M
               memory: 200Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:
@@ -160,6 +164,8 @@ spec:
               ephemeral-storage: 100M
               memory: 50Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:
diff --git a/definitions/orderer/deployment.yaml b/definitions/orderer/deployment.yaml
@@ -72,6 +72,8 @@ spec:
               ephemeral-storage: 100M
               memory: 100Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             allowPrivilegeEscalation: false
             capabilities:
               add:
@@ -165,6 +167,8 @@ spec:
               ephemeral-storage: 100M
               memory: 100Mi
           securityContext:
+            seccompProfile:
+              type: RuntimeDefault
             capabilities:
               add:
                 - NET_BIND_SERVICE
diff --git a/definitions/peer/chaincode-launcher.yaml b/definitions/peer/chaincode-launcher.yaml
@@ -18,6 +18,8 @@
 name: "chaincode-launcher"
 imagePullPolicy: Always
 securityContext:
+  seccompProfile:
+    type: RuntimeDefault
   privileged: false
   readOnlyRootFileSystem: false
   runAsGroup: 7051
diff --git a/definitions/peer/couchdb.yaml b/definitions/peer/couchdb.yaml
@@ -19,6 +19,8 @@ name: "couchdb"
 image: ""
 imagePullPolicy: Always
 securityContext:
+  seccompProfile:
+    type: RuntimeDefault
   privileged: false
   readOnlyRootFileSystem: false
   runAsGroup: 5984
diff --git a/pkg/offering/base/ca/override/deployment.go b/pkg/offering/base/ca/override/deployment.go
@@ -33,6 +33,7 @@ import (
 	"github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/deployment"
 	dep "github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/deployment"
 	"github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/serviceaccount"
+	"github.com/IBM-Blockchain/fabric-operator/pkg/offering/common"
 	"github.com/IBM-Blockchain/fabric-operator/pkg/util"
 
 	appsv1 "k8s.io/api/apps/v1"
@@ -182,6 +183,9 @@ func (o *Override) CommonDeployment(instance *current.IBPCA, deployment *dep.Dep
 		deployment.SetReplicas(instance.Spec.Replicas)
 	}
 
+	// set seccompProfile to RuntimeDefault
+	common.GetPodSecurityContext(caCont)
+
 	return nil
 }
 
diff --git a/pkg/offering/base/console/override/deployment.go b/pkg/offering/base/console/override/deployment.go
@@ -319,6 +319,11 @@ func (o *Override) CommonDeployment(instance *current.IBPConsole, deployment *de
 	}
 	init.SetCommand([]string{"sh", "-c", initCommand})
 
+	// set seccompProfile to RuntimeDefault
+	common.GetPodSecurityContext(console)
+	common.GetPodSecurityContext(deployer)
+	common.GetPodSecurityContext(configtxlator)
+
 	return nil
 }
 
diff --git a/pkg/offering/base/orderer/override/deployment.go b/pkg/offering/base/orderer/override/deployment.go
@@ -317,6 +317,10 @@ func (o *Override) CommonDeploymentOverrides(instance *current.IBPOrderer, deplo
 	deployment.UpdateContainer(grpcProxy)
 	deployment.UpdateInitContainer(initCont)
 
+	// set seccompProfile to RuntimeDefault
+	common.GetPodSecurityContext(orderer)
+	common.GetPodSecurityContext(grpcProxy)
+
 	return nil
 }
 
diff --git a/pkg/offering/base/peer/override/deployment.go b/pkg/offering/base/peer/override/deployment.go
@@ -732,6 +732,11 @@ func (o *Override) CommonDeploymentOverrides(instance *current.IBPPeer, deployme
 
 	deployment.UpdateContainer(peerContainer)
 	deployment.UpdateContainer(grpcContainer)
+
+	// set seccompProfile to RuntimeDefault
+	common.GetPodSecurityContext(peerContainer)
+	common.GetPodSecurityContext(grpcContainer)
+
 	return nil
 }
 
diff --git a/pkg/offering/common/override.go b/pkg/offering/common/override.go
@@ -19,6 +19,7 @@
 package common
 
 import (
+	container "github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/container"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -106,3 +107,12 @@ func GetPodAntiAffinity(orgName string) *corev1.PodAntiAffinity {
 		},
 	}
 }
+
+func GetPodSecurityContext(con container.Container) {
+	secContext := con.SecurityContext
+	if secContext.SeccompProfile == nil {
+		secContext.SeccompProfile = &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		}
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,7 @@ import (`
`33`	`33`	`"github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/deployment"`
`34`	`34`	`dep "github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/deployment"`
`35`	`35`	`"github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/serviceaccount"`
	`36`	`+ "github.com/IBM-Blockchain/fabric-operator/pkg/offering/common"`
`36`	`37`	`"github.com/IBM-Blockchain/fabric-operator/pkg/util"`
`37`	`38`
`38`	`39`	`appsv1 "k8s.io/api/apps/v1"`
`@@ -182,6 +183,9 @@ func (o Override) CommonDeployment(instance current.IBPCA, deployment *dep.Dep`
`182`	`183`	`deployment.SetReplicas(instance.Spec.Replicas)`
`183`	`184`	`}`
`184`	`185`
	`186`	`+ // set seccompProfile to RuntimeDefault`
	`187`	`+ common.GetPodSecurityContext(caCont)`
	`188`	`+`
`185`	`189`	`return nil`
`186`	`190`	`}`
`187`	`191`
Original file line number	Diff line number	Diff line change
`@@ -319,6 +319,11 @@ func (o Override) CommonDeployment(instance current.IBPConsole, deployment *de`
`319`	`319`	`}`
`320`	`320`	`init.SetCommand([]string{"sh", "-c", initCommand})`
`321`	`321`
	`322`	`+ // set seccompProfile to RuntimeDefault`
	`323`	`+ common.GetPodSecurityContext(console)`
	`324`	`+ common.GetPodSecurityContext(deployer)`
	`325`	`+ common.GetPodSecurityContext(configtxlator)`
	`326`	`+`
`322`	`327`	`return nil`
`323`	`328`	`}`
`324`	`329`
Original file line number	Diff line number	Diff line change
`@@ -317,6 +317,10 @@ func (o Override) CommonDeploymentOverrides(instance current.IBPOrderer, deplo`
`317`	`317`	`deployment.UpdateContainer(grpcProxy)`
`318`	`318`	`deployment.UpdateInitContainer(initCont)`
`319`	`319`
	`320`	`+ // set seccompProfile to RuntimeDefault`
	`321`	`+ common.GetPodSecurityContext(orderer)`
	`322`	`+ common.GetPodSecurityContext(grpcProxy)`
	`323`	`+`
`320`	`324`	`return nil`
`321`	`325`	`}`
`322`	`326`
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@`
`19`	`19`	`package common`
`20`	`20`
`21`	`21`	`import (`
	`22`	`+ container "github.com/IBM-Blockchain/fabric-operator/pkg/manager/resources/container"`
`22`	`23`	`corev1 "k8s.io/api/core/v1"`
`23`	`24`	`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
`24`	`25`	`)`
`@@ -106,3 +107,12 @@ func GetPodAntiAffinity(orgName string) *corev1.PodAntiAffinity {`
`106`	`107`	`},`
`107`	`108`	`}`
`108`	`109`	`}`
	`110`	`+`
	`111`	`+func GetPodSecurityContext(con container.Container) {`
	`112`	`+ secContext := con.SecurityContext`
	`113`	`+ if secContext.SeccompProfile == nil {`
	`114`	`+ secContext.SeccompProfile = &corev1.SeccompProfile{`
	`115`	`+ Type: corev1.SeccompProfileTypeRuntimeDefault,`
	`116`	`+ }`
	`117`	`+ }`
	`118`	`+}`