Make HNC container runasnonroot for security

Make HNC container runasnonroot for security and usability on more Kubernetes distributions (e.g. Openshift only allows non-root containers). Add port flag to change the container port to a port number not reserved for root (below 1024). Add securityContext to manager pod to run as non root. Tested on a GKE cluster. The webhooks worked fine.
kubernetes-retired · May 1, 2020 · 4ee9810 · 4ee9810
1 parent c34afd6
commit 4ee9810
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 2 deletions.
diff --git a/incubator/hnc/cmd/manager/main.go b/incubator/hnc/cmd/manager/main.go
@@ -57,6 +57,7 @@ var (
 	testLog              bool
 	internalCert         bool
 	qps                  int
+	port                 int
 )
 
 func init() {
@@ -80,6 +81,7 @@ func main() {
 	flag.BoolVar(&internalCert, "enable-internal-cert-management", false, "Enables internal cert management.")
 	flag.IntVar(&maxReconciles, "max-reconciles", 1, "Number of concurrent reconciles to perform.")
 	flag.IntVar(&qps, "apiserver-qps-throttle", 50, "The maximum QPS to the API server.")
+	flag.IntVar(&port, "port", 443, "port for the server. defaulted to 443 if unspecified ")
 	flag.Parse()
 
 	// Enable OpenCensus exporters to export metrics
@@ -127,6 +129,7 @@ func main() {
 		MetricsBindAddress: metricsAddr,
 		LeaderElection:     enableLeaderElection,
 		LeaderElectionID:   leaderElectionId,
+		Port:               port,
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")

diff --git a/incubator/hnc/config/default/manager_auth_proxy_patch.yaml b/incubator/hnc/config/default/manager_auth_proxy_patch.yaml
@@ -8,6 +8,10 @@ metadata:
 spec:
   template:
     spec:
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 1000
       containers:
       - name: kube-rbac-proxy
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0
@@ -21,6 +25,7 @@ spec:
           name: https
       - name: manager
         args:
+        - "--port=9443"
         - "--metrics-addr=127.0.0.1:8080"
         - "--enable-leader-election"
         - "--leader-election-id=hnc-controller-leader-election-helper"

diff --git a/incubator/hnc/config/default/manager_webhook_patch.yaml b/incubator/hnc/config/default/manager_webhook_patch.yaml
@@ -9,7 +9,7 @@ spec:
       containers:
       - name: manager
         ports:
-        - containerPort: 443
+        - containerPort: 9443
           name: webhook-server
           protocol: TCP
         volumeMounts:

diff --git a/incubator/hnc/config/webhook/service.yaml b/incubator/hnc/config/webhook/service.yaml
@@ -7,6 +7,6 @@ metadata:
 spec:
   ports:
     - port: 443
-      targetPort: 443
+      targetPort: 9443
   selector:
     control-plane: controller-manager