Add SecurityContext to deployment and init container

rancher · Oct 16, 2023 · d3ce167 · d3ce167
1 parent f974f7d
commit d3ce167
Show file tree

Hide file tree

Showing 2 changed files with 110 additions and 20 deletions.
diff --git a/pkg/controller/gitjob/generatejob_test.go b/pkg/controller/gitjob/generatejob_test.go
@@ -15,6 +15,17 @@ import (
 func TestGenerateJob(t *testing.T) {
 	ctrl := gomock.NewController(t)
 
+	securityContext := &corev1.SecurityContext{
+		AllowPrivilegeEscalation: &[]bool{false}[0],
+		ReadOnlyRootFilesystem:   &[]bool{true}[0],
+		Privileged:               &[]bool{false}[0],
+		Capabilities:             &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}},
+		RunAsNonRoot:             &[]bool{true}[0],
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+	}
+
 	tests := map[string]struct {
 		gitjob                 *v1.GitJob
 		secret                 corev1controller.SecretCache
@@ -39,7 +50,12 @@ func TestGenerateJob(t *testing.T) {
 							Name:      gitClonerVolumeName,
 							MountPath: "/workspace",
 						},
+						{
+							Name:      emptyDirVolumeName,
+							MountPath: "/tmp",
+						},
 					},
+					SecurityContext: securityContext,
 				},
 			},
 			expectedVolumes: []corev1.Volume{
@@ -49,6 +65,12 @@ func TestGenerateJob(t *testing.T) {
 						EmptyDir: &corev1.EmptyDirVolumeSource{},
 					},
 				},
+				{
+					Name: emptyDirVolumeName,
+					VolumeSource: corev1.VolumeSource{
+						EmptyDir: &corev1.EmptyDirVolumeSource{},
+					},
+				},
 			},
 		},
 		"http credentials": {
@@ -75,11 +97,16 @@ func TestGenerateJob(t *testing.T) {
 							Name:      gitClonerVolumeName,
 							MountPath: "/workspace",
 						},
+						{
+							Name:      emptyDirVolumeName,
+							MountPath: "/tmp",
+						},
 						{
 							Name:      gitCredentialVolumeName,
 							MountPath: "/gitjob/credentials",
 						},
 					},
+					SecurityContext: securityContext,
 				},
 			},
 			expectedVolumes: []corev1.Volume{
@@ -89,6 +116,12 @@ func TestGenerateJob(t *testing.T) {
 						EmptyDir: &corev1.EmptyDirVolumeSource{},
 					},
 				},
+				{
+					Name: emptyDirVolumeName,
+					VolumeSource: corev1.VolumeSource{
+						EmptyDir: &corev1.EmptyDirVolumeSource{},
+					},
+				},
 				{
 					Name: gitCredentialVolumeName,
 					VolumeSource: corev1.VolumeSource{
@@ -124,11 +157,16 @@ func TestGenerateJob(t *testing.T) {
 							Name:      gitClonerVolumeName,
 							MountPath: "/workspace",
 						},
+						{
+							Name:      emptyDirVolumeName,
+							MountPath: "/tmp",
+						},
 						{
 							Name:      gitCredentialVolumeName,
 							MountPath: "/gitjob/ssh",
 						},
 					},
+					SecurityContext: securityContext,
 				},
 			},
 			expectedVolumes: []corev1.Volume{
@@ -138,6 +176,12 @@ func TestGenerateJob(t *testing.T) {
 						EmptyDir: &corev1.EmptyDirVolumeSource{},
 					},
 				},
+				{
+					Name: emptyDirVolumeName,
+					VolumeSource: corev1.VolumeSource{
+						EmptyDir: &corev1.EmptyDirVolumeSource{},
+					},
+				},
 				{
 					Name: gitCredentialVolumeName,
 					VolumeSource: corev1.VolumeSource{
@@ -173,11 +217,16 @@ func TestGenerateJob(t *testing.T) {
 							Name:      gitClonerVolumeName,
 							MountPath: "/workspace",
 						},
+						{
+							Name:      emptyDirVolumeName,
+							MountPath: "/tmp",
+						},
 						{
 							Name:      bundleCAVolumeName,
 							MountPath: "/gitjob/cabundle",
 						},
 					},
+					SecurityContext: securityContext,
 				},
 			},
 			expectedVolumes: []corev1.Volume{
@@ -187,6 +236,12 @@ func TestGenerateJob(t *testing.T) {
 						EmptyDir: &corev1.EmptyDirVolumeSource{},
 					},
 				},
+				{
+					Name: emptyDirVolumeName,
+					VolumeSource: corev1.VolumeSource{
+						EmptyDir: &corev1.EmptyDirVolumeSource{},
+					},
+				},
 				{
 					Name: bundleCAVolumeName,
 					VolumeSource: corev1.VolumeSource{
@@ -221,7 +276,12 @@ func TestGenerateJob(t *testing.T) {
 							Name:      gitClonerVolumeName,
 							MountPath: "/workspace",
 						},
+						{
+							Name:      emptyDirVolumeName,
+							MountPath: "/tmp",
+						},
 					},
+					SecurityContext: securityContext,
 				},
 			},
 			expectedVolumes: []corev1.Volume{
@@ -231,25 +291,33 @@ func TestGenerateJob(t *testing.T) {
 						EmptyDir: &corev1.EmptyDirVolumeSource{},
 					},
 				},
+				{
+					Name: emptyDirVolumeName,
+					VolumeSource: corev1.VolumeSource{
+						EmptyDir: &corev1.EmptyDirVolumeSource{},
+					},
+				},
 			},
 		},
 	}
 
-	for _, test := range tests {
-		h := Handler{
-			image:   "test",
-			secrets: test.secret,
-		}
-		job, err := h.generateJob(test.gitjob)
-		if err != nil {
-			t.Fatalf("unexpected error: %v", err)
-		}
-		if !cmp.Equal(job.Spec.Template.Spec.InitContainers, test.expectedInitContainers) {
-			t.Fatalf("expected initContainers: %v, got: %v", test.expectedInitContainers, job.Spec.Template.Spec.InitContainers)
-		}
-		if !cmp.Equal(job.Spec.Template.Spec.Volumes, test.expectedVolumes) {
-			t.Fatalf("expected volumes: %v, got: %v", test.expectedVolumes, job.Spec.Template.Spec.Volumes)
-		}
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			h := Handler{
+				image:   "test",
+				secrets: test.secret,
+			}
+			job, err := h.generateJob(test.gitjob)
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if !cmp.Equal(job.Spec.Template.Spec.InitContainers, test.expectedInitContainers) {
+				t.Fatalf("expected initContainers: %v, got: %v", test.expectedInitContainers, job.Spec.Template.Spec.InitContainers)
+			}
+			if !cmp.Equal(job.Spec.Template.Spec.Volumes, test.expectedVolumes) {
+				t.Fatalf("expected volumes: %v, got: %v", test.expectedVolumes, job.Spec.Template.Spec.Volumes)
+			}
+		})
 	}
 }
 

diff --git a/pkg/controller/gitjob/gitjobs.go b/pkg/controller/gitjob/gitjobs.go
@@ -32,6 +32,7 @@ const (
 	bundleCAFile            = "additional-ca.crt"
 	gitCredentialVolumeName = "git-credential" // #nosec G101 this is not a credential
 	gitClonerVolumeName     = "git-cloner"
+	emptyDirVolumeName      = "empty-dir"
 )
 
 func Register(ctx context.Context, cont *types.Context) {
@@ -189,12 +190,19 @@ func (h Handler) generateJob(obj *v1.GitJob) (*batchv1.Job, error) {
 		return nil, err
 	}
 	job.Spec.Template.Spec.InitContainers = []corev1.Container{initContainer}
-	job.Spec.Template.Spec.Volumes = append(job.Spec.Template.Spec.Volumes, corev1.Volume{
-		Name: gitClonerVolumeName,
-		VolumeSource: corev1.VolumeSource{
-			EmptyDir: &corev1.EmptyDirVolumeSource{},
+	job.Spec.Template.Spec.Volumes = append(job.Spec.Template.Spec.Volumes,
+		corev1.Volume{
+			Name: gitClonerVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		}, corev1.Volume{
+			Name: emptyDirVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
 		},
-	})
+	)
 
 	if obj.Spec.Git.CABundle != nil {
 		job.Spec.Template.Spec.Volumes = append(job.Spec.Template.Spec.Volumes, corev1.Volume{
@@ -247,6 +255,10 @@ func (h Handler) generateInitContainer(obj *v1.GitJob) (corev1.Container, error)
 			Name:      gitClonerVolumeName,
 			MountPath: "/workspace",
 		},
+		{
+			Name:      emptyDirVolumeName,
+			MountPath: "/tmp",
+		},
 	}
 	if obj.Spec.Git.Branch != "" {
 		args = append(args, "--branch", obj.Spec.Git.Branch)
@@ -299,5 +311,15 @@ func (h Handler) generateInitContainer(obj *v1.GitJob) (corev1.Container, error)
 		Image:        h.image,
 		Name:         "gitcloner-initializer",
 		VolumeMounts: volumeMounts,
+		SecurityContext: &corev1.SecurityContext{
+			AllowPrivilegeEscalation: &[]bool{false}[0],
+			ReadOnlyRootFilesystem:   &[]bool{true}[0],
+			Privileged:               &[]bool{false}[0],
+			Capabilities:             &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}},
+			RunAsNonRoot:             &[]bool{true}[0],
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: corev1.SeccompProfileTypeRuntimeDefault,
+			},
+		},
 	}, nil
 }