From fee8dfcb0cd0da77b1d7f148b658a24c5e6d6335 Mon Sep 17 00:00:00 2001 From: Matej Vasek Date: Tue, 6 Sep 2022 17:37:43 +0200 Subject: [PATCH] fix: in cluster dialer security context is non-privileged (#1181) * fix: in cluster dialer sec.ctx. is non-privileged Signed-off-by: Matej Vasek * fixup: drop all capabilities Signed-off-by: Matej Vasek * fixup: seccomp Signed-off-by: Matej Vasek * fixup: unset seccomp profile type the seccomp profile type must be empty for osh 4.10 Signed-off-by: Matej Vasek * fixup: suppress warnings Signed-off-by: Matej Vasek Signed-off-by: Matej Vasek --- k8s/dialer.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/k8s/dialer.go b/k8s/dialer.go index 49eb80ddb..e7b0e27b5 100644 --- a/k8s/dialer.go +++ b/k8s/dialer.go @@ -23,7 +23,7 @@ import ( ) const ( - socatImage = "quay.io/boson/alpine-socat:1.7.4.3-r" + socatImage = "quay.io/boson/alpine-socat:1.7.4.3-r1-non-root" ) // NewInClusterDialer creates context dialer that will dial TCP connections via POD running in k8s cluster. @@ -102,6 +102,7 @@ func (c *contextDialer) startDialerPod(ctx context.Context) (err error) { if err != nil { return } + c.restConf.WarningHandler = restclient.NoWarnings{} err = setConfigDefaults(c.restConf) if err != nil { @@ -129,6 +130,7 @@ func (c *contextDialer) startDialerPod(ctx context.Context) (err error) { } }() + runAsNonRoot := true pod := &coreV1.Pod{ ObjectMeta: metaV1.ObjectMeta{ Name: c.podName, @@ -143,6 +145,12 @@ func (c *contextDialer) startDialerPod(ctx context.Context) (err error) { Stdin: true, StdinOnce: true, Args: []string{"-u", "-", "OPEN:/dev/null,append"}, + SecurityContext: &coreV1.SecurityContext{ + Privileged: new(bool), + AllowPrivilegeEscalation: new(bool), + RunAsNonRoot: &runAsNonRoot, + Capabilities: &coreV1.Capabilities{Drop: []coreV1.Capability{"ALL"}}, + }, }, }, DNSPolicy: coreV1.DNSClusterFirst,