fix: add missing seccompProfile to comply with restricted policy (#1493)

* fix: add missing seccompProfile to comply with restricted policy Signed-off-by: hamidos <[email protected]> * Add kuttl e2e test Signed-off-by: Siddhesh Ghadi <[email protected]> * Fix kuttl test Signed-off-by: Siddhesh Ghadi <[email protected]> --------- Signed-off-by: hamidos <[email protected]> Signed-off-by: Siddhesh Ghadi <[email protected]> Co-authored-by: Siddhesh Ghadi <[email protected]>
argoproj-labs · Aug 29, 2024 · e3bb558 · e3bb558
1 parent f6d77ef
commit e3bb558
Show file tree

Hide file tree

Showing 23 changed files with 237 additions and 0 deletions.
diff --git a/bundle/manifests/argocd-operator.clusterserviceversion.yaml b/bundle/manifests/argocd-operator.clusterserviceversion.yaml
@@ -1927,6 +1927,8 @@ spec:
                     - ALL
                   readOnlyRootFilesystem: true
                   runAsNonRoot: true
+                  seccompProfile:
+                    type: RuntimeDefault
               securityContext:
                 runAsNonRoot: true
               serviceAccountName: argocd-operator-controller-manager

diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
@@ -39,3 +39,5 @@ spec:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true 
           runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml
@@ -21,6 +21,8 @@ spec:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true 
            runAsNonRoot: true
+           seccompProfile:
+             type: RuntimeDefault 
       volumes:
       - name: manager-config
         configMap:

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -40,6 +40,8 @@ spec:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true 
           runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         livenessProbe:
           httpGet:
             path: /healthz

diff --git a/controllers/argocd/applicationset.go b/controllers/argocd/applicationset.go
@@ -355,6 +355,9 @@ func (r *ReconcileArgoCD) applicationSetContainer(cr *argoproj.ArgoCD, addSCMGit
 			AllowPrivilegeEscalation: boolPtr(false),
 			ReadOnlyRootFilesystem:   boolPtr(true),
 			RunAsNonRoot:             boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 	}
 	if addSCMGitlabVolumeMount {

diff --git a/controllers/argocd/dex.go b/controllers/argocd/dex.go
@@ -271,6 +271,9 @@ func (r *ReconcileArgoCD) reconcileDexDeployment(cr *argoproj.ArgoCD) error {
 				},
 			},
 			RunAsNonRoot: boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: []corev1.VolumeMount{{
 			Name:      "static-files",
@@ -298,6 +301,9 @@ func (r *ReconcileArgoCD) reconcileDexDeployment(cr *argoproj.ArgoCD) error {
 				},
 			},
 			RunAsNonRoot: boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: []corev1.VolumeMount{{
 			Name:      "static-files",

diff --git a/controllers/argocd/dex_test.go b/controllers/argocd/dex_test.go
@@ -280,6 +280,9 @@ func TestReconcileArgoCD_reconcileDexDeployment(t *testing.T) {
 						},
 					},
 					RunAsNonRoot: boolPtr(true),
+					SeccompProfile: &corev1.SeccompProfile{
+						Type: "RuntimeDefault",
+					},
 				},
 				VolumeMounts: []corev1.VolumeMount{
 					{
@@ -330,6 +333,9 @@ func TestReconcileArgoCD_reconcileDexDeployment(t *testing.T) {
 						},
 					},
 					RunAsNonRoot: boolPtr(true),
+					SeccompProfile: &corev1.SeccompProfile{
+						Type: "RuntimeDefault",
+					},
 				},
 				VolumeMounts: []corev1.VolumeMount{
 					{Name: "static-files", MountPath: "/shared"},
@@ -401,6 +407,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) {
 								},
 							},
 							RunAsNonRoot: boolPtr(true),
+							SeccompProfile: &corev1.SeccompProfile{
+								Type: "RuntimeDefault",
+							},
 						},
 						VolumeMounts: []corev1.VolumeMount{
 							{
@@ -451,6 +460,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) {
 								},
 							},
 							RunAsNonRoot: boolPtr(true),
+							SeccompProfile: &corev1.SeccompProfile{
+								Type: "RuntimeDefault",
+							},
 						},
 						VolumeMounts: []corev1.VolumeMount{
 							{Name: "static-files", MountPath: "/shared"},
@@ -514,6 +526,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) {
 								},
 							},
 							RunAsNonRoot: boolPtr(true),
+							SeccompProfile: &corev1.SeccompProfile{
+								Type: "RuntimeDefault",
+							},
 						},
 						VolumeMounts: []corev1.VolumeMount{
 							{
@@ -577,6 +592,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) {
 								},
 							},
 							RunAsNonRoot: boolPtr(true),
+							SeccompProfile: &corev1.SeccompProfile{
+								Type: "RuntimeDefault",
+							},
 						},
 						VolumeMounts: []corev1.VolumeMount{
 							{Name: "static-files", MountPath: "/shared"},

diff --git a/controllers/argocd/keycloak.go b/controllers/argocd/keycloak.go
@@ -236,6 +236,18 @@ func getKeycloakContainer(cr *argoproj.ArgoCD) corev1.Container {
 			{ContainerPort: 8443, Name: "https", Protocol: "TCP"},
 			{ContainerPort: 8888, Name: "ping", Protocol: "TCP"},
 		},
+		SecurityContext: &corev1.SecurityContext{
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{
+					"ALL",
+				},
+			},
+			AllowPrivilegeEscalation: boolPtr(false),
+			RunAsNonRoot:             boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
+		},
 		ReadinessProbe: &corev1.Probe{
 			TimeoutSeconds:      240,
 			InitialDelaySeconds: 120,
@@ -627,6 +639,18 @@ func newKeycloakDeployment(cr *argoproj.ArgoCD) *k8sappsv1.Deployment {
 								{Name: "http", ContainerPort: httpPort},
 								{Name: "https", ContainerPort: portTLS},
 							},
+							SecurityContext: &corev1.SecurityContext{
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{
+										"ALL",
+									},
+								},
+								AllowPrivilegeEscalation: boolPtr(false),
+								RunAsNonRoot:             boolPtr(true),
+								SeccompProfile: &corev1.SeccompProfile{
+									Type: "RuntimeDefault",
+								},
+							},
 							ReadinessProbe: &corev1.Probe{
 								ProbeHandler: corev1.ProbeHandler{
 									HTTPGet: &corev1.HTTPGetAction{

diff --git a/controllers/argocd/notifications.go b/controllers/argocd/notifications.go
@@ -393,6 +393,9 @@ func (r *ReconcileArgoCD) reconcileNotificationsDeployment(cr *argoproj.ArgoCD,
 					"ALL",
 				},
 			},
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: []corev1.VolumeMount{
 			{

diff --git a/controllers/argocd/notifications_test.go b/controllers/argocd/notifications_test.go
@@ -181,6 +181,9 @@ func TestReconcileNotifications_CreateDeployments(t *testing.T) {
 					"ALL",
 				},
 			},
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: []corev1.VolumeMount{
 			{

diff --git a/controllers/argocd/statefulset.go b/controllers/argocd/statefulset.go
@@ -198,6 +198,9 @@ func (r *ReconcileArgoCD) reconcileRedisStatefulSet(cr *argoproj.ArgoCD) error {
 					},
 				},
 				RunAsNonRoot: boolPtr(true),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: "RuntimeDefault",
+				},
 			},
 			VolumeMounts: []corev1.VolumeMount{
 				{
@@ -270,6 +273,9 @@ func (r *ReconcileArgoCD) reconcileRedisStatefulSet(cr *argoproj.ArgoCD) error {
 					},
 				},
 				RunAsNonRoot: boolPtr(true),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: "RuntimeDefault",
+				},
 			},
 			VolumeMounts: []corev1.VolumeMount{
 				{
@@ -332,6 +338,9 @@ func (r *ReconcileArgoCD) reconcileRedisStatefulSet(cr *argoproj.ArgoCD) error {
 				},
 			},
 			RunAsNonRoot: boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: []corev1.VolumeMount{
 			{
@@ -618,6 +627,9 @@ func (r *ReconcileArgoCD) reconcileApplicationControllerStatefulSet(cr *argoproj
 				},
 			},
 			RunAsNonRoot: boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: controllerVolumeMounts,
 	}}
@@ -703,6 +715,9 @@ func (r *ReconcileArgoCD) reconcileApplicationControllerStatefulSet(cr *argoproj
 					},
 				},
 				RunAsNonRoot: boolPtr(true),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: "RuntimeDefault",
+				},
 			},
 			VolumeMounts: getArgoImportVolumeMounts(),
 		}}

diff --git a/controllers/argocdexport/job.go b/controllers/argocdexport/job.go
@@ -186,6 +186,9 @@ func newExportPodSpec(cr *argoproj.ArgoCDExport, argocdName string, client clien
 				},
 			},
 			RunAsNonRoot: boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: getArgoExportVolumeMounts(),
 	}}

diff --git a/deploy/olm-catalog/argocd-operator/0.12.0/argocd-operator.v0.12.0.clusterserviceversion.yaml b/deploy/olm-catalog/argocd-operator/0.12.0/argocd-operator.v0.12.0.clusterserviceversion.yaml
@@ -1927,6 +1927,8 @@ spec:
                     - ALL
                   readOnlyRootFilesystem: true
                   runAsNonRoot: true
+                  seccompProfile:
+                    type: RuntimeDefault
               securityContext:
                 runAsNonRoot: true
               serviceAccountName: argocd-operator-controller-manager

diff --git a/tests/k8s/1-042_restricted_pss_compliant/01-assert.yaml b/tests/k8s/1-042_restricted_pss_compliant/01-assert.yaml
@@ -0,0 +1,27 @@
+# test will fail on clusters with less than 3 nodes
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-1-042-restricted-pss-compliant
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: latest
+---
+apiVersion: argoproj.io/v1beta1
+kind: ArgoCD
+metadata:
+  name: argocd
+  namespace: test-1-042-restricted-pss-compliant
+status:
+  applicationController: Running
+  applicationSetController: Running
+  notificationsController: Running
+  phase: Available
+  redis: Running
+  repo: Running
+  server: Running
+  sso: Running
diff --git a/tests/k8s/1-042_restricted_pss_compliant/01-install-argocd-in-restricted-pss-ns copy.yaml b/tests/k8s/1-042_restricted_pss_compliant/01-install-argocd-in-restricted-pss-ns copy.yaml
@@ -0,0 +1,28 @@
+# test will fail on clusters with less than 3 nodes
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-1-042-restricted-pss-compliant
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: latest
+---
+apiVersion: argoproj.io/v1beta1
+kind: ArgoCD
+metadata:
+  name: argocd
+  namespace: test-1-042-restricted-pss-compliant
+spec:
+  applicationSet:
+    enabled: true
+  notifications:
+    enabled: true
+  sso:
+    provider: dex
+    dex:
+      openShiftOAuth: true
diff --git a/tests/k8s/1-042_restricted_pss_compliant/02-check-pod.yaml b/tests/k8s/1-042_restricted_pss_compliant/02-check-pod.yaml
@@ -0,0 +1,11 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: sleep 10
+  - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-application-controller'
+  - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-applicationset-controller'
+  - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-dex-server'
+  - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-notifications-controller'
+  - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-redis'
+  - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-repo-server'
+  - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-server'
diff --git a/tests/k8s/1-042_restricted_pss_compliant/03-assert.yaml b/tests/k8s/1-042_restricted_pss_compliant/03-assert.yaml
@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1beta1
+kind: ArgoCD
+metadata:
+  name: argocd
+  namespace: test-1-042-restricted-pss-compliant
+status:
+  applicationController: Running
+  phase: Available
+  redis: Running
+  repo: Running
+  server: Running
+  #sso: Running  # due to bug in keycloak service code, status remains as Pending
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keycloak
+  namespace: test-1-042-restricted-pss-compliant
diff --git a/tests/k8s/1-042_restricted_pss_compliant/03-enable-keycloak-sso.yaml b/tests/k8s/1-042_restricted_pss_compliant/03-enable-keycloak-sso.yaml
@@ -0,0 +1,17 @@
+apiVersion: argoproj.io/v1beta1
+kind: ArgoCD
+metadata:
+  name: argocd
+  namespace: test-1-042-restricted-pss-compliant
+spec:
+  sso:
+    provider: keycloak
+    keycloak:
+      verifyTLS: false
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    kubectl patch -n test-1-042-restricted-pss-compliant argocd/argocd --type='json' -p='[{"op": "remove", "path": "/spec/sso/dex"}]'
+
diff --git a/tests/k8s/1-042_restricted_pss_compliant/04-check-pod.yaml b/tests/k8s/1-042_restricted_pss_compliant/04-check-pod.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: sleep 10
+  - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'keycloak'
diff --git a/tests/k8s/1-042_restricted_pss_compliant/05-assert.yaml b/tests/k8s/1-042_restricted_pss_compliant/05-assert.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1beta1
+kind: ArgoCD
+metadata:
+  name: argocd
+  namespace: test-1-042-restricted-pss-compliant
+status:
+  applicationController: Running
+  #phase: Available
+  #redis: Running
+  repo: Running
+  server: Running
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: argocd-redis-ha-server
+  namespace: test-1-042-restricted-pss-compliant
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argocd-redis-ha-haproxy
+  namespace: test-1-042-restricted-pss-compliant
+
diff --git a/tests/k8s/1-042_restricted_pss_compliant/05-enable-redis-ha.yaml b/tests/k8s/1-042_restricted_pss_compliant/05-enable-redis-ha.yaml
@@ -0,0 +1,9 @@
+# test will fail on clusters with less than 3 nodes
+apiVersion: argoproj.io/v1beta1
+kind: ArgoCD
+metadata:
+  name: argocd
+  namespace: test-1-042-restricted-pss-compliant
+spec:
+  ha:
+    enabled: true