From e3bb558ea332617ad6529138996edd8b13ca6e1e Mon Sep 17 00:00:00 2001 From: Hamid Edouiki Date: Thu, 29 Aug 2024 15:37:34 +0100 Subject: [PATCH] fix: add missing seccompProfile to comply with restricted policy (#1493) * fix: add missing seccompProfile to comply with restricted policy Signed-off-by: hamidos * Add kuttl e2e test Signed-off-by: Siddhesh Ghadi * Fix kuttl test Signed-off-by: Siddhesh Ghadi --------- Signed-off-by: hamidos Signed-off-by: Siddhesh Ghadi Co-authored-by: Siddhesh Ghadi --- ...argocd-operator.clusterserviceversion.yaml | 2 ++ config/default/manager_auth_proxy_patch.yaml | 2 ++ config/default/manager_config_patch.yaml | 2 ++ config/manager/manager.yaml | 2 ++ controllers/argocd/applicationset.go | 3 ++ controllers/argocd/dex.go | 6 ++++ controllers/argocd/dex_test.go | 18 ++++++++++++ controllers/argocd/keycloak.go | 24 ++++++++++++++++ controllers/argocd/notifications.go | 3 ++ controllers/argocd/notifications_test.go | 3 ++ controllers/argocd/statefulset.go | 15 ++++++++++ controllers/argocdexport/job.go | 3 ++ ...perator.v0.12.0.clusterserviceversion.yaml | 2 ++ .../01-assert.yaml | 27 ++++++++++++++++++ ...tall-argocd-in-restricted-pss-ns copy.yaml | 28 +++++++++++++++++++ .../02-check-pod.yaml | 11 ++++++++ .../03-assert.yaml | 18 ++++++++++++ .../03-enable-keycloak-sso.yaml | 17 +++++++++++ .../04-check-pod.yaml | 5 ++++ .../05-assert.yaml | 24 ++++++++++++++++ .../05-enable-redis-ha.yaml | 9 ++++++ .../06-check-pod.yaml | 6 ++++ .../99-delete.yaml | 7 +++++ 23 files changed, 237 insertions(+) create mode 100644 tests/k8s/1-042_restricted_pss_compliant/01-assert.yaml create mode 100644 tests/k8s/1-042_restricted_pss_compliant/01-install-argocd-in-restricted-pss-ns copy.yaml create mode 100644 tests/k8s/1-042_restricted_pss_compliant/02-check-pod.yaml create mode 100644 tests/k8s/1-042_restricted_pss_compliant/03-assert.yaml create mode 100644 tests/k8s/1-042_restricted_pss_compliant/03-enable-keycloak-sso.yaml create mode 100644 tests/k8s/1-042_restricted_pss_compliant/04-check-pod.yaml create mode 100644 tests/k8s/1-042_restricted_pss_compliant/05-assert.yaml create mode 100644 tests/k8s/1-042_restricted_pss_compliant/05-enable-redis-ha.yaml create mode 100644 tests/k8s/1-042_restricted_pss_compliant/06-check-pod.yaml create mode 100644 tests/k8s/1-042_restricted_pss_compliant/99-delete.yaml diff --git a/bundle/manifests/argocd-operator.clusterserviceversion.yaml b/bundle/manifests/argocd-operator.clusterserviceversion.yaml index 0dfa16345..8ccb3060b 100644 --- a/bundle/manifests/argocd-operator.clusterserviceversion.yaml +++ b/bundle/manifests/argocd-operator.clusterserviceversion.yaml @@ -1927,6 +1927,8 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault securityContext: runAsNonRoot: true serviceAccountName: argocd-operator-controller-manager diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index e5fe9ed97..ca89c8a77 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -39,3 +39,5 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml index d7eca2d68..780d0003a 100644 --- a/config/default/manager_config_patch.yaml +++ b/config/default/manager_config_patch.yaml @@ -21,6 +21,8 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: manager-config configMap: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 7f86e3bde..58d17c23c 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -40,6 +40,8 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault livenessProbe: httpGet: path: /healthz diff --git a/controllers/argocd/applicationset.go b/controllers/argocd/applicationset.go index 7580ff46c..9dd5dafbf 100644 --- a/controllers/argocd/applicationset.go +++ b/controllers/argocd/applicationset.go @@ -355,6 +355,9 @@ func (r *ReconcileArgoCD) applicationSetContainer(cr *argoproj.ArgoCD, addSCMGit AllowPrivilegeEscalation: boolPtr(false), ReadOnlyRootFilesystem: boolPtr(true), RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, } if addSCMGitlabVolumeMount { diff --git a/controllers/argocd/dex.go b/controllers/argocd/dex.go index 51b1a3467..93d534076 100644 --- a/controllers/argocd/dex.go +++ b/controllers/argocd/dex.go @@ -271,6 +271,9 @@ func (r *ReconcileArgoCD) reconcileDexDeployment(cr *argoproj.ArgoCD) error { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{{ Name: "static-files", @@ -298,6 +301,9 @@ func (r *ReconcileArgoCD) reconcileDexDeployment(cr *argoproj.ArgoCD) error { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{{ Name: "static-files", diff --git a/controllers/argocd/dex_test.go b/controllers/argocd/dex_test.go index 707c79788..5385d5f82 100644 --- a/controllers/argocd/dex_test.go +++ b/controllers/argocd/dex_test.go @@ -280,6 +280,9 @@ func TestReconcileArgoCD_reconcileDexDeployment(t *testing.T) { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ { @@ -330,6 +333,9 @@ func TestReconcileArgoCD_reconcileDexDeployment(t *testing.T) { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ {Name: "static-files", MountPath: "/shared"}, @@ -401,6 +407,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ { @@ -451,6 +460,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ {Name: "static-files", MountPath: "/shared"}, @@ -514,6 +526,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ { @@ -577,6 +592,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ {Name: "static-files", MountPath: "/shared"}, diff --git a/controllers/argocd/keycloak.go b/controllers/argocd/keycloak.go index 425080534..f5ad51057 100644 --- a/controllers/argocd/keycloak.go +++ b/controllers/argocd/keycloak.go @@ -236,6 +236,18 @@ func getKeycloakContainer(cr *argoproj.ArgoCD) corev1.Container { {ContainerPort: 8443, Name: "https", Protocol: "TCP"}, {ContainerPort: 8888, Name: "ping", Protocol: "TCP"}, }, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + "ALL", + }, + }, + AllowPrivilegeEscalation: boolPtr(false), + RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, + }, ReadinessProbe: &corev1.Probe{ TimeoutSeconds: 240, InitialDelaySeconds: 120, @@ -627,6 +639,18 @@ func newKeycloakDeployment(cr *argoproj.ArgoCD) *k8sappsv1.Deployment { {Name: "http", ContainerPort: httpPort}, {Name: "https", ContainerPort: portTLS}, }, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + "ALL", + }, + }, + AllowPrivilegeEscalation: boolPtr(false), + RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, + }, ReadinessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ diff --git a/controllers/argocd/notifications.go b/controllers/argocd/notifications.go index ae4a00030..d5b282005 100644 --- a/controllers/argocd/notifications.go +++ b/controllers/argocd/notifications.go @@ -393,6 +393,9 @@ func (r *ReconcileArgoCD) reconcileNotificationsDeployment(cr *argoproj.ArgoCD, "ALL", }, }, + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ { diff --git a/controllers/argocd/notifications_test.go b/controllers/argocd/notifications_test.go index 79fabf5a1..cfbb9f051 100644 --- a/controllers/argocd/notifications_test.go +++ b/controllers/argocd/notifications_test.go @@ -181,6 +181,9 @@ func TestReconcileNotifications_CreateDeployments(t *testing.T) { "ALL", }, }, + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ { diff --git a/controllers/argocd/statefulset.go b/controllers/argocd/statefulset.go index fb36f62c1..68e1e9f7a 100644 --- a/controllers/argocd/statefulset.go +++ b/controllers/argocd/statefulset.go @@ -198,6 +198,9 @@ func (r *ReconcileArgoCD) reconcileRedisStatefulSet(cr *argoproj.ArgoCD) error { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ { @@ -270,6 +273,9 @@ func (r *ReconcileArgoCD) reconcileRedisStatefulSet(cr *argoproj.ArgoCD) error { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ { @@ -332,6 +338,9 @@ func (r *ReconcileArgoCD) reconcileRedisStatefulSet(cr *argoproj.ArgoCD) error { }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: []corev1.VolumeMount{ { @@ -618,6 +627,9 @@ func (r *ReconcileArgoCD) reconcileApplicationControllerStatefulSet(cr *argoproj }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: controllerVolumeMounts, }} @@ -703,6 +715,9 @@ func (r *ReconcileArgoCD) reconcileApplicationControllerStatefulSet(cr *argoproj }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: getArgoImportVolumeMounts(), }} diff --git a/controllers/argocdexport/job.go b/controllers/argocdexport/job.go index 577702b21..d692d5a53 100644 --- a/controllers/argocdexport/job.go +++ b/controllers/argocdexport/job.go @@ -186,6 +186,9 @@ func newExportPodSpec(cr *argoproj.ArgoCDExport, argocdName string, client clien }, }, RunAsNonRoot: boolPtr(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: "RuntimeDefault", + }, }, VolumeMounts: getArgoExportVolumeMounts(), }} diff --git a/deploy/olm-catalog/argocd-operator/0.12.0/argocd-operator.v0.12.0.clusterserviceversion.yaml b/deploy/olm-catalog/argocd-operator/0.12.0/argocd-operator.v0.12.0.clusterserviceversion.yaml index 0dfa16345..8ccb3060b 100644 --- a/deploy/olm-catalog/argocd-operator/0.12.0/argocd-operator.v0.12.0.clusterserviceversion.yaml +++ b/deploy/olm-catalog/argocd-operator/0.12.0/argocd-operator.v0.12.0.clusterserviceversion.yaml @@ -1927,6 +1927,8 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true + seccompProfile: + type: RuntimeDefault securityContext: runAsNonRoot: true serviceAccountName: argocd-operator-controller-manager diff --git a/tests/k8s/1-042_restricted_pss_compliant/01-assert.yaml b/tests/k8s/1-042_restricted_pss_compliant/01-assert.yaml new file mode 100644 index 000000000..e25d545e2 --- /dev/null +++ b/tests/k8s/1-042_restricted_pss_compliant/01-assert.yaml @@ -0,0 +1,27 @@ +# test will fail on clusters with less than 3 nodes +apiVersion: v1 +kind: Namespace +metadata: + name: test-1-042-restricted-pss-compliant + labels: + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest +--- +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: argocd + namespace: test-1-042-restricted-pss-compliant +status: + applicationController: Running + applicationSetController: Running + notificationsController: Running + phase: Available + redis: Running + repo: Running + server: Running + sso: Running \ No newline at end of file diff --git a/tests/k8s/1-042_restricted_pss_compliant/01-install-argocd-in-restricted-pss-ns copy.yaml b/tests/k8s/1-042_restricted_pss_compliant/01-install-argocd-in-restricted-pss-ns copy.yaml new file mode 100644 index 000000000..c663ac515 --- /dev/null +++ b/tests/k8s/1-042_restricted_pss_compliant/01-install-argocd-in-restricted-pss-ns copy.yaml @@ -0,0 +1,28 @@ +# test will fail on clusters with less than 3 nodes +--- +apiVersion: v1 +kind: Namespace +metadata: + name: test-1-042-restricted-pss-compliant + labels: + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest +--- +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: argocd + namespace: test-1-042-restricted-pss-compliant +spec: + applicationSet: + enabled: true + notifications: + enabled: true + sso: + provider: dex + dex: + openShiftOAuth: true diff --git a/tests/k8s/1-042_restricted_pss_compliant/02-check-pod.yaml b/tests/k8s/1-042_restricted_pss_compliant/02-check-pod.yaml new file mode 100644 index 000000000..6eb01e9e0 --- /dev/null +++ b/tests/k8s/1-042_restricted_pss_compliant/02-check-pod.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: sleep 10 + - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-application-controller' + - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-applicationset-controller' + - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-dex-server' + - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-notifications-controller' + - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-redis' + - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-repo-server' + - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-server' diff --git a/tests/k8s/1-042_restricted_pss_compliant/03-assert.yaml b/tests/k8s/1-042_restricted_pss_compliant/03-assert.yaml new file mode 100644 index 000000000..75bea1c7a --- /dev/null +++ b/tests/k8s/1-042_restricted_pss_compliant/03-assert.yaml @@ -0,0 +1,18 @@ +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: argocd + namespace: test-1-042-restricted-pss-compliant +status: + applicationController: Running + phase: Available + redis: Running + repo: Running + server: Running + #sso: Running # due to bug in keycloak service code, status remains as Pending +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: keycloak + namespace: test-1-042-restricted-pss-compliant diff --git a/tests/k8s/1-042_restricted_pss_compliant/03-enable-keycloak-sso.yaml b/tests/k8s/1-042_restricted_pss_compliant/03-enable-keycloak-sso.yaml new file mode 100644 index 000000000..5bee99371 --- /dev/null +++ b/tests/k8s/1-042_restricted_pss_compliant/03-enable-keycloak-sso.yaml @@ -0,0 +1,17 @@ +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: argocd + namespace: test-1-042-restricted-pss-compliant +spec: + sso: + provider: keycloak + keycloak: + verifyTLS: false +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + kubectl patch -n test-1-042-restricted-pss-compliant argocd/argocd --type='json' -p='[{"op": "remove", "path": "/spec/sso/dex"}]' + diff --git a/tests/k8s/1-042_restricted_pss_compliant/04-check-pod.yaml b/tests/k8s/1-042_restricted_pss_compliant/04-check-pod.yaml new file mode 100644 index 000000000..7801cd57c --- /dev/null +++ b/tests/k8s/1-042_restricted_pss_compliant/04-check-pod.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: sleep 10 + - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'keycloak' diff --git a/tests/k8s/1-042_restricted_pss_compliant/05-assert.yaml b/tests/k8s/1-042_restricted_pss_compliant/05-assert.yaml new file mode 100644 index 000000000..f5e0f060e --- /dev/null +++ b/tests/k8s/1-042_restricted_pss_compliant/05-assert.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: argocd + namespace: test-1-042-restricted-pss-compliant +status: + applicationController: Running + #phase: Available + #redis: Running + repo: Running + server: Running +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: argocd-redis-ha-server + namespace: test-1-042-restricted-pss-compliant +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: argocd-redis-ha-haproxy + namespace: test-1-042-restricted-pss-compliant + diff --git a/tests/k8s/1-042_restricted_pss_compliant/05-enable-redis-ha.yaml b/tests/k8s/1-042_restricted_pss_compliant/05-enable-redis-ha.yaml new file mode 100644 index 000000000..b76ad4f8d --- /dev/null +++ b/tests/k8s/1-042_restricted_pss_compliant/05-enable-redis-ha.yaml @@ -0,0 +1,9 @@ +# test will fail on clusters with less than 3 nodes +apiVersion: argoproj.io/v1beta1 +kind: ArgoCD +metadata: + name: argocd + namespace: test-1-042-restricted-pss-compliant +spec: + ha: + enabled: true diff --git a/tests/k8s/1-042_restricted_pss_compliant/06-check-pod.yaml b/tests/k8s/1-042_restricted_pss_compliant/06-check-pod.yaml new file mode 100644 index 000000000..a20379515 --- /dev/null +++ b/tests/k8s/1-042_restricted_pss_compliant/06-check-pod.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: sleep 10 + - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-redis-ha-haproxy' + - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-redis-ha-server' diff --git a/tests/k8s/1-042_restricted_pss_compliant/99-delete.yaml b/tests/k8s/1-042_restricted_pss_compliant/99-delete.yaml new file mode 100644 index 000000000..d027e622b --- /dev/null +++ b/tests/k8s/1-042_restricted_pss_compliant/99-delete.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: v1 + kind: Namespace + name: test-1-042-restricted-pss-compliant \ No newline at end of file