fix: add missing seccompProfile to comply with restricted policy

Signed-off-by: hamidos <ed.hamido@gmail.com>
argoproj-labs · Aug 27, 2024 · 32a8e5a · 32a8e5a
1 parent f8b8fab
commit 32a8e5a
Show file tree

Hide file tree

Showing 13 changed files with 85 additions and 0 deletions.
diff --git a/bundle/manifests/argocd-operator.clusterserviceversion.yaml b/bundle/manifests/argocd-operator.clusterserviceversion.yaml
@@ -1927,6 +1927,8 @@ spec:
                     - ALL
                   readOnlyRootFilesystem: true
                   runAsNonRoot: true
+                  seccompProfile:
+                    type: RuntimeDefault
               securityContext:
                 runAsNonRoot: true
               serviceAccountName: argocd-operator-controller-manager

diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
@@ -39,3 +39,5 @@ spec:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true 
           runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml
@@ -21,6 +21,8 @@ spec:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true 
            runAsNonRoot: true
+           seccompProfile:
+             type: RuntimeDefault 
       volumes:
       - name: manager-config
         configMap:

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -40,6 +40,8 @@ spec:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true 
           runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         livenessProbe:
           httpGet:
             path: /healthz

diff --git a/controllers/argocd/applicationset.go b/controllers/argocd/applicationset.go
@@ -355,6 +355,9 @@ func (r *ReconcileArgoCD) applicationSetContainer(cr *argoproj.ArgoCD, addSCMGit
 			AllowPrivilegeEscalation: boolPtr(false),
 			ReadOnlyRootFilesystem:   boolPtr(true),
 			RunAsNonRoot:             boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 	}
 	if addSCMGitlabVolumeMount {

diff --git a/controllers/argocd/dex.go b/controllers/argocd/dex.go
@@ -271,6 +271,9 @@ func (r *ReconcileArgoCD) reconcileDexDeployment(cr *argoproj.ArgoCD) error {
 				},
 			},
 			RunAsNonRoot: boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: []corev1.VolumeMount{{
 			Name:      "static-files",
@@ -298,6 +301,9 @@ func (r *ReconcileArgoCD) reconcileDexDeployment(cr *argoproj.ArgoCD) error {
 				},
 			},
 			RunAsNonRoot: boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: []corev1.VolumeMount{{
 			Name:      "static-files",

diff --git a/controllers/argocd/dex_test.go b/controllers/argocd/dex_test.go
@@ -280,6 +280,9 @@ func TestReconcileArgoCD_reconcileDexDeployment(t *testing.T) {
 						},
 					},
 					RunAsNonRoot: boolPtr(true),
+					SeccompProfile: &corev1.SeccompProfile{
+						Type: "RuntimeDefault",
+					},
 				},
 				VolumeMounts: []corev1.VolumeMount{
 					{
@@ -330,6 +333,9 @@ func TestReconcileArgoCD_reconcileDexDeployment(t *testing.T) {
 						},
 					},
 					RunAsNonRoot: boolPtr(true),
+					SeccompProfile: &corev1.SeccompProfile{
+						Type: "RuntimeDefault",
+					},
 				},
 				VolumeMounts: []corev1.VolumeMount{
 					{Name: "static-files", MountPath: "/shared"},
@@ -401,6 +407,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) {
 								},
 							},
 							RunAsNonRoot: boolPtr(true),
+							SeccompProfile: &corev1.SeccompProfile{
+								Type: "RuntimeDefault",
+							},
 						},
 						VolumeMounts: []corev1.VolumeMount{
 							{
@@ -451,6 +460,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) {
 								},
 							},
 							RunAsNonRoot: boolPtr(true),
+							SeccompProfile: &corev1.SeccompProfile{
+								Type: "RuntimeDefault",
+							},
 						},
 						VolumeMounts: []corev1.VolumeMount{
 							{Name: "static-files", MountPath: "/shared"},
@@ -514,6 +526,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) {
 								},
 							},
 							RunAsNonRoot: boolPtr(true),
+							SeccompProfile: &corev1.SeccompProfile{
+								Type: "RuntimeDefault",
+							},
 						},
 						VolumeMounts: []corev1.VolumeMount{
 							{
@@ -577,6 +592,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) {
 								},
 							},
 							RunAsNonRoot: boolPtr(true),
+							SeccompProfile: &corev1.SeccompProfile{
+								Type: "RuntimeDefault",
+							},
 						},
 						VolumeMounts: []corev1.VolumeMount{
 							{Name: "static-files", MountPath: "/shared"},

diff --git a/controllers/argocd/keycloak.go b/controllers/argocd/keycloak.go
@@ -236,6 +236,18 @@ func getKeycloakContainer(cr *argoproj.ArgoCD) corev1.Container {
 			{ContainerPort: 8443, Name: "https", Protocol: "TCP"},
 			{ContainerPort: 8888, Name: "ping", Protocol: "TCP"},
 		},
+		SecurityContext: &corev1.SecurityContext{
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{
+					"ALL",
+				},
+			},
+			AllowPrivilegeEscalation: boolPtr(false),
+			RunAsNonRoot:             boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
+		},
 		ReadinessProbe: &corev1.Probe{
 			TimeoutSeconds:      240,
 			InitialDelaySeconds: 120,
@@ -627,6 +639,18 @@ func newKeycloakDeployment(cr *argoproj.ArgoCD) *k8sappsv1.Deployment {
 								{Name: "http", ContainerPort: httpPort},
 								{Name: "https", ContainerPort: portTLS},
 							},
+							SecurityContext: &corev1.SecurityContext{
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{
+										"ALL",
+									},
+								},
+								AllowPrivilegeEscalation: boolPtr(false),
+								RunAsNonRoot:             boolPtr(true),
+								SeccompProfile: &corev1.SeccompProfile{
+									Type: "RuntimeDefault",
+								},
+							},
 							ReadinessProbe: &corev1.Probe{
 								ProbeHandler: corev1.ProbeHandler{
 									HTTPGet: &corev1.HTTPGetAction{

diff --git a/controllers/argocd/notifications.go b/controllers/argocd/notifications.go
@@ -393,6 +393,9 @@ func (r *ReconcileArgoCD) reconcileNotificationsDeployment(cr *argoproj.ArgoCD,
 					"ALL",
 				},
 			},
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: []corev1.VolumeMount{
 			{

diff --git a/controllers/argocd/notifications_test.go b/controllers/argocd/notifications_test.go
@@ -181,6 +181,9 @@ func TestReconcileNotifications_CreateDeployments(t *testing.T) {
 					"ALL",
 				},
 			},
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: []corev1.VolumeMount{
 			{

diff --git a/controllers/argocd/statefulset.go b/controllers/argocd/statefulset.go
@@ -198,6 +198,9 @@ func (r *ReconcileArgoCD) reconcileRedisStatefulSet(cr *argoproj.ArgoCD) error {
 					},
 				},
 				RunAsNonRoot: boolPtr(true),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: "RuntimeDefault",
+				},
 			},
 			VolumeMounts: []corev1.VolumeMount{
 				{
@@ -270,6 +273,9 @@ func (r *ReconcileArgoCD) reconcileRedisStatefulSet(cr *argoproj.ArgoCD) error {
 					},
 				},
 				RunAsNonRoot: boolPtr(true),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: "RuntimeDefault",
+				},
 			},
 			VolumeMounts: []corev1.VolumeMount{
 				{
@@ -332,6 +338,9 @@ func (r *ReconcileArgoCD) reconcileRedisStatefulSet(cr *argoproj.ArgoCD) error {
 				},
 			},
 			RunAsNonRoot: boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: []corev1.VolumeMount{
 			{
@@ -618,6 +627,9 @@ func (r *ReconcileArgoCD) reconcileApplicationControllerStatefulSet(cr *argoproj
 				},
 			},
 			RunAsNonRoot: boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: controllerVolumeMounts,
 	}}
@@ -703,6 +715,9 @@ func (r *ReconcileArgoCD) reconcileApplicationControllerStatefulSet(cr *argoproj
 					},
 				},
 				RunAsNonRoot: boolPtr(true),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: "RuntimeDefault",
+				},
 			},
 			VolumeMounts: getArgoImportVolumeMounts(),
 		}}

diff --git a/controllers/argocdexport/job.go b/controllers/argocdexport/job.go
@@ -186,6 +186,9 @@ func newExportPodSpec(cr *argoproj.ArgoCDExport, argocdName string, client clien
 				},
 			},
 			RunAsNonRoot: boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: getArgoExportVolumeMounts(),
 	}}

diff --git a/deploy/olm-catalog/argocd-operator/0.12.0/argocd-operator.v0.12.0.clusterserviceversion.yaml b/deploy/olm-catalog/argocd-operator/0.12.0/argocd-operator.v0.12.0.clusterserviceversion.yaml
@@ -1927,6 +1927,8 @@ spec:
                     - ALL
                   readOnlyRootFilesystem: true
                   runAsNonRoot: true
+                  seccompProfile:
+                    type: RuntimeDefault
               securityContext:
                 runAsNonRoot: true
               serviceAccountName: argocd-operator-controller-manager