Skip to content

Commit 1e2bb28

Browse files
stlazstlaz
committed
restrict the test pods security context
1 parent 9c583f1 commit 1e2bb28

File tree

2 files changed

+17
-1
lines changed

2 files changed

+17
-1
lines changed

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ require (
2222
k8s.io/apimachinery v0.26.2
2323
k8s.io/apiserver v0.26.2
2424
k8s.io/client-go v0.26.2
25+
k8s.io/utils v0.0.0-20221107191617-1a15be271d1d
2526
)
2627

2728
require (
@@ -105,7 +106,6 @@ require (
105106
k8s.io/klog/v2 v2.80.1 // indirect
106107
k8s.io/kms v0.26.2 // indirect
107108
k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
108-
k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect
109109
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.35 // indirect
110110
sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
111111
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect

test/e2e/util.go

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ import (
2525

2626
authorizationv1 "k8s.io/api/authorization/v1"
2727
corev1 "k8s.io/api/core/v1"
28+
v1 "k8s.io/api/core/v1"
2829
"k8s.io/apimachinery/pkg/api/errors"
2930
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
3031
"k8s.io/apimachinery/pkg/util/intstr"
@@ -34,6 +35,7 @@ import (
3435
"k8s.io/client-go/rest"
3536
"k8s.io/client-go/tools/clientcmd"
3637
cmdapi "k8s.io/client-go/tools/clientcmd/api"
38+
"k8s.io/utils/pointer"
3739

3840
configv1 "github.com/openshift/api/config/v1"
3941
routev1 "github.com/openshift/api/route/v1"
@@ -667,6 +669,7 @@ func newOAuthProxyPod(proxyImage, backendImage string, extraProxyArgs []string,
667669
"--cookie-secret=SECRET",
668670
"--skip-provider-button",
669671
}, extraProxyArgs...)
672+
670673
return &corev1.Pod{
671674
ObjectMeta: metav1.ObjectMeta{
672675
Name: "proxy",
@@ -675,6 +678,11 @@ func newOAuthProxyPod(proxyImage, backendImage string, extraProxyArgs []string,
675678
},
676679
},
677680
Spec: corev1.PodSpec{
681+
SecurityContext: &v1.PodSecurityContext{
682+
RunAsNonRoot: pointer.Bool(true),
683+
RunAsUser: pointer.Int64(1000),
684+
SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault},
685+
},
678686
Volumes: []corev1.Volume{
679687
{
680688
Name: "proxy-cert-volume",
@@ -692,6 +700,10 @@ func newOAuthProxyPod(proxyImage, backendImage string, extraProxyArgs []string,
692700
ImagePullPolicy: corev1.PullIfNotPresent,
693701
Name: "oauth-proxy",
694702
Args: proxyArgs,
703+
SecurityContext: &v1.SecurityContext{
704+
AllowPrivilegeEscalation: pointer.Bool(false),
705+
Capabilities: &v1.Capabilities{Drop: []v1.Capability{"ALL"}},
706+
},
695707
Ports: []corev1.ContainerPort{
696708
{
697709
ContainerPort: 8443,
@@ -707,6 +719,10 @@ func newOAuthProxyPod(proxyImage, backendImage string, extraProxyArgs []string,
707719
{
708720
Image: backendImage,
709721
Name: "hello-openshift",
722+
SecurityContext: &v1.SecurityContext{
723+
AllowPrivilegeEscalation: pointer.Bool(false),
724+
Capabilities: &v1.Capabilities{Drop: []v1.Capability{"ALL"}},
725+
},
710726
Ports: []corev1.ContainerPort{
711727
{
712728
ContainerPort: 8080,

0 commit comments

Comments
 (0)