diff --git a/bundle/manifests/argocd-operator.clusterserviceversion.yaml b/bundle/manifests/argocd-operator.clusterserviceversion.yaml index 0dfa16345..8ccb3060b 100644 --- a/bundle/manifests/argocd-operator.clusterserviceversion.yaml +++ b/bundle/manifests/argocd-operator.clusterserviceversion.yaml @@ -1927,6 +1927,8 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault securityContext: runAsNonRoot: true serviceAccountName: argocd-operator-controller-manager diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index e5fe9ed97..ca89c8a77 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -39,3 +39,5 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml index d7eca2d68..780d0003a 100644 --- a/config/default/manager_config_patch.yaml +++ b/config/default/manager_config_patch.yaml @@ -21,6 +21,8 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: manager-config configMap: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 7f86e3bde..58d17c23c 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -40,6 +40,8 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault livenessProbe: httpGet: path: /healthz diff --git a/controllers/argocd/applicationset.go b/controllers/argocd/applicationset.go index 7580ff46c..9dd5dafbf 100644 --- a/controllers/argocd/applicationset.go +++ b/controllers/argocd/applicationset.go @@ -355,6 +355,9 @@ func (r *ReconcileArgoCD) applicationSetContainer(cr *argoproj.ArgoCD, addSCMGit AllowPrivilegeEscalation: boolPtr(false), ReadOnlyRootFilesystem: boolPtr(true), RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, } if addSCMGitlabVolumeMount { diff --git a/controllers/argocd/dex.go b/controllers/argocd/dex.go index 51b1a3467..93d534076 100644 --- a/controllers/argocd/dex.go +++ b/controllers/argocd/dex.go @@ -271,6 +271,9 @@ func (r *ReconcileArgoCD) reconcileDexDeployment(cr *argoproj.ArgoCD) error { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{{ Name: "static-files", @@ -298,6 +301,9 @@ func (r *ReconcileArgoCD) reconcileDexDeployment(cr *argoproj.ArgoCD) error { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{{ Name: "static-files", diff --git a/controllers/argocd/dex_test.go b/controllers/argocd/dex_test.go index 707c79788..5385d5f82 100644 --- a/controllers/argocd/dex_test.go +++ b/controllers/argocd/dex_test.go @@ -280,6 +280,9 @@ func TestReconcileArgoCD_reconcileDexDeployment(t *testing.T) { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ { @@ -330,6 +333,9 @@ func TestReconcileArgoCD_reconcileDexDeployment(t *testing.T) { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ {Name: "static-files", MountPath: "/shared"}, @@ -401,6 +407,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ { @@ -451,6 +460,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ {Name: "static-files", MountPath: "/shared"}, @@ -514,6 +526,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ { @@ -577,6 +592,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ {Name: "static-files", MountPath: "/shared"}, diff --git a/controllers/argocd/keycloak.go b/controllers/argocd/keycloak.go index 425080534..f5ad51057 100644 --- a/controllers/argocd/keycloak.go +++ b/controllers/argocd/keycloak.go @@ -236,6 +236,18 @@ func getKeycloakContainer(cr *argoproj.ArgoCD) corev1.Container { {ContainerPort: 8443, Name: "https", Protocol: "TCP"}, {ContainerPort: 8888, Name: "ping", Protocol: "TCP"}, }, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + "ALL", + }, + }, + AllowPrivilegeEscalation: boolPtr(false), + RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, + }, ReadinessProbe: &corev1.Probe{ TimeoutSeconds: 240, InitialDelaySeconds: 120, @@ -627,6 +639,18 @@ func newKeycloakDeployment(cr *argoproj.ArgoCD) *k8sappsv1.Deployment { {Name: "http", ContainerPort: httpPort}, {Name: "https", ContainerPort: portTLS}, }, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + "ALL", + }, + }, + AllowPrivilegeEscalation: boolPtr(false), + RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, + }, ReadinessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ diff --git a/controllers/argocd/notifications.go b/controllers/argocd/notifications.go index ae4a00030..d5b282005 100644 --- a/controllers/argocd/notifications.go +++ b/controllers/argocd/notifications.go @@ -393,6 +393,9 @@ func (r *ReconcileArgoCD) reconcileNotificationsDeployment(cr *argoproj.ArgoCD, "ALL", }, }, + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ { diff --git a/controllers/argocd/notifications_test.go b/controllers/argocd/notifications_test.go index 79fabf5a1..cfbb9f051 100644 --- a/controllers/argocd/notifications_test.go +++ b/controllers/argocd/notifications_test.go @@ -181,6 +181,9 @@ func TestReconcileNotifications_CreateDeployments(t *testing.T) { "ALL", }, }, + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ { diff --git a/controllers/argocd/statefulset.go b/controllers/argocd/statefulset.go index fb36f62c1..68e1e9f7a 100644 --- a/controllers/argocd/statefulset.go +++ b/controllers/argocd/statefulset.go @@ -198,6 +198,9 @@ func (r *ReconcileArgoCD) reconcileRedisStatefulSet(cr *argoproj.ArgoCD) error { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ { @@ -270,6 +273,9 @@ func (r *ReconcileArgoCD) reconcileRedisStatefulSet(cr *argoproj.ArgoCD) error { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ { @@ -332,6 +338,9 @@ func (r *ReconcileArgoCD) reconcileRedisStatefulSet(cr *argoproj.ArgoCD) error { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ { @@ -618,6 +627,9 @@ func (r *ReconcileArgoCD) reconcileApplicationControllerStatefulSet(cr *argoproj }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: controllerVolumeMounts, }} @@ -703,6 +715,9 @@ func (r *ReconcileArgoCD) reconcileApplicationControllerStatefulSet(cr *argoproj }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: getArgoImportVolumeMounts(), }} diff --git a/controllers/argocdexport/job.go b/controllers/argocdexport/job.go index 577702b21..d692d5a53 100644 --- a/controllers/argocdexport/job.go +++ b/controllers/argocdexport/job.go @@ -186,6 +186,9 @@ func newExportPodSpec(cr *argoproj.ArgoCDExport, argocdName string, client clien }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: getArgoExportVolumeMounts(), }} diff --git a/deploy/olm-catalog/argocd-operator/0.12.0/argocd-operator.v0.12.0.clusterserviceversion.yaml b/deploy/olm-catalog/argocd-operator/0.12.0/argocd-operator.v0.12.0.clusterserviceversion.yaml index 0dfa16345..8ccb3060b 100644 --- a/deploy/olm-catalog/argocd-operator/0.12.0/argocd-operator.v0.12.0.clusterserviceversion.yaml +++ b/deploy/olm-catalog/argocd-operator/0.12.0/argocd-operator.v0.12.0.clusterserviceversion.yaml @@ -1927,6 +1927,8 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault securityContext: runAsNonRoot: true serviceAccountName: argocd-operator-controller-manager