fix: in cluster dialer security context is non-privileged (#1181)

* fix: in cluster dialer sec.ctx. is non-privileged Signed-off-by: Matej Vasek <mvasek@redhat.com> * fixup: drop all capabilities Signed-off-by: Matej Vasek <mvasek@redhat.com> * fixup: seccomp Signed-off-by: Matej Vasek <mvasek@redhat.com> * fixup: unset seccomp profile type the seccomp profile type must be empty for osh 4.10 Signed-off-by: Matej Vasek <mvasek@redhat.com> * fixup: suppress warnings Signed-off-by: Matej Vasek <mvasek@redhat.com> Signed-off-by: Matej Vasek <mvasek@redhat.com>
2022-09-06 17:37:43 +02:00 · 2022-09-06 17:37:43 +02:00 · fee8dfcb0c
parent 317553206a
commit fee8dfcb0c
1 changed files with 9 additions and 1 deletions
--- a/k8s/dialer.go
+++ b/k8s/dialer.go
@ -23,7 +23,7 @@ import (
 )

 const (
-	socatImage = "quay.io/boson/alpine-socat:1.7.4.3-r"
+	socatImage = "quay.io/boson/alpine-socat:1.7.4.3-r1-non-root"
 )

 // NewInClusterDialer creates context dialer that will dial TCP connections via POD running in k8s cluster.
@ -102,6 +102,7 @@ func (c *contextDialer) startDialerPod(ctx context.Context) (err error) {
 	if err != nil {
 		return
 	}
+	c.restConf.WarningHandler = restclient.NoWarnings{}

 	err = setConfigDefaults(c.restConf)
 	if err != nil {
@ -129,6 +130,7 @@ func (c *contextDialer) startDialerPod(ctx context.Context) (err error) {
 		}
 	}()

+	runAsNonRoot := true
 	pod := &coreV1.Pod{
 		ObjectMeta: metaV1.ObjectMeta{
 			Name:        c.podName,
@ -143,6 +145,12 @@ func (c *contextDialer) startDialerPod(ctx context.Context) (err error) {
 					Stdin:     true,
 					StdinOnce: true,
 					Args:      []string{"-u", "-", "OPEN:/dev/null,append"},
+					SecurityContext: &coreV1.SecurityContext{
+						Privileged:               new(bool),
+						AllowPrivilegeEscalation: new(bool),
+						RunAsNonRoot:             &runAsNonRoot,
+						Capabilities:             &coreV1.Capabilities{Drop: []coreV1.Capability{"ALL"}},
+					},
 				},
 			},
 			DNSPolicy:     coreV1.DNSClusterFirst,