Merge pull request #325 from marquiz/devel/hardening

Container image hardening
kubernetes-sigs · Aug 21, 2020 · a68a4ec · a68a4ec
2 parents b6e3109 + 3cd2d34
commit a68a4ec
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 0 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -25,6 +25,9 @@ RUN make test
 # Create production image for running node feature discovery
 FROM debian:stretch-slim
 
+# Run as unprivileged user
+USER 65534:65534
+
 # Use more verbose logging of gRPC
 ENV GRPC_GO_LOG_SEVERITY_LEVEL="INFO"
 

diff --git a/nfd-daemonset-combined.yaml.template b/nfd-daemonset-combined.yaml.template
@@ -64,6 +64,12 @@ spec:
                 fieldPath: spec.nodeName
           image: k8s.gcr.io/nfd/node-feature-discovery:v0.6.0
           name: nfd-master
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
           command:
             - "nfd-master"
         - env:
@@ -73,6 +79,12 @@ spec:
                 fieldPath: spec.nodeName
           image: k8s.gcr.io/nfd/node-feature-discovery:v0.6.0
           name: nfd-worker
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
           command:
             - "nfd-worker"
           args:

diff --git a/nfd-master.yaml.template b/nfd-master.yaml.template
@@ -79,6 +79,12 @@ spec:
                 fieldPath: spec.nodeName
           image: k8s.gcr.io/nfd/node-feature-discovery:v0.6.0
           name: nfd-master
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
           command:
             - "nfd-master"
 ## Enable TLS authentication

diff --git a/nfd-worker-daemonset.yaml.template b/nfd-worker-daemonset.yaml.template
@@ -23,6 +23,12 @@ spec:
                 fieldPath: spec.nodeName
           image: k8s.gcr.io/nfd/node-feature-discovery:v0.6.0
           name: nfd-worker
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
           command:
             - "nfd-worker"
           args:

diff --git a/nfd-worker-job.yaml.template b/nfd-worker-job.yaml.template
@@ -32,6 +32,12 @@ spec:
                 fieldPath: spec.nodeName
           image: k8s.gcr.io/nfd/node-feature-discovery:v0.6.0
           name: nfd-worker
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
           command:
             - "nfd-worker"
           args: