Merge pull request openshift#2178 from 2uasimojo/HIVE-2350/secure-dep…

…loyments Read-only root file system
lleshchi · Feb 1, 2024 · 194c4d4 · 194c4d4
2 parents 5fbe0d1 + dc7d630
commit 194c4d4
Show file tree

Hide file tree

Showing 6 changed files with 78 additions and 0 deletions.
diff --git a/config/clustersync/statefulset.yaml b/config/clustersync/statefulset.yaml
@@ -54,6 +54,14 @@ spec:
               fieldPath: metadata.name
         - name: HIVE_SKIP_LEADER_ELECTION
           value: "true"
+        - name: TMPDIR
+          value: /tmp
+        volumeMounts:
+        - name: tmp
+          mountPath: /tmp
+        securityContext:
+          privileged: false
+          readOnlyRootFilesystem: true
         livenessProbe:
           failureThreshold: 3
           httpGet:
@@ -72,3 +80,6 @@ spec:
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 1
+      volumes:
+      - name: tmp
+        emptyDir: {}
diff --git a/config/controllers/deployment.yaml b/config/controllers/deployment.yaml
@@ -25,6 +25,8 @@ spec:
       volumes:
       - name: kubectl-cache
         emptyDir: {}
+      - name: tmp
+        emptyDir: {}
       containers:
       # By default we will use the latest CI images published from hive master:
       - image: registry.ci.openshift.org/openshift/hive-v4.0:hive
@@ -42,13 +44,20 @@ spec:
         volumeMounts:
         - name: kubectl-cache
           mountPath: /var/cache/kubectl
+        - name: tmp
+          mountPath: /tmp
         env:
         - name: CLI_CACHE_DIR
           value: /var/cache/kubectl
         - name: HIVE_NS
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        - name: TMPDIR
+          value: /tmp
+        securityContext:
+          privileged: false
+          readOnlyRootFilesystem: true
         readinessProbe:
           httpGet:
             path: /readyz

diff --git a/config/hiveadmission/deployment.yaml b/config/hiveadmission/deployment.yaml
@@ -42,9 +42,17 @@ spec:
         envFrom:
         - configMapRef:
             name: hive-feature-gates
+        env:
+        - name: TMPDIR
+          value: /tmp
         volumeMounts:
         - mountPath: /var/serving-cert
           name: serving-cert
+        - name: tmp
+          mountPath: /tmp
+        securityContext:
+          privileged: false
+          readOnlyRootFilesystem: true
         readinessProbe:
           httpGet:
             path: /healthz
@@ -55,3 +63,5 @@ spec:
         secret:
           defaultMode: 420
           secretName: hiveadmission-serving-cert
+      - name: tmp
+        emptyDir: {}
diff --git a/config/operator/operator_deployment.yaml b/config/operator/operator_deployment.yaml
@@ -30,6 +30,8 @@ spec:
       volumes:
       - name: kubectl-cache
         emptyDir: {}
+      - name: tmp
+        emptyDir: {}
       containers:
       # By default we will use the latest CI images published from hive master:
       - image: registry.ci.openshift.org/openshift/hive-v4.0:hive
@@ -50,13 +52,20 @@ spec:
         volumeMounts:
         - name: kubectl-cache
           mountPath: /var/cache/kubectl
+        - name: tmp
+          mountPath: /tmp
         env:
         - name: CLI_CACHE_DIR
           value: /var/cache/kubectl
         - name: HIVE_OPERATOR_NS
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        - name: TMPDIR
+          value: /tmp
+        securityContext:
+          privileged: false
+          readOnlyRootFilesystem: true
         readinessProbe:
           httpGet:
             path: /readyz

diff --git a/hack/app-sre/saas-template.yaml b/hack/app-sre/saas-template.yaml
@@ -7596,6 +7596,8 @@ objects:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          - name: TMPDIR
+            value: /tmp
           image: ${REGISTRY_IMG}@${IMAGE_DIGEST}
           imagePullPolicy: Always
           livenessProbe:
@@ -7615,14 +7617,21 @@ objects:
             requests:
               cpu: 100m
               memory: 256Mi
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
           volumeMounts:
           - mountPath: /var/cache/kubectl
             name: kubectl-cache
+          - mountPath: /tmp
+            name: tmp
         serviceAccountName: hive-operator
         terminationGracePeriodSeconds: 10
         volumes:
         - emptyDir: {}
           name: kubectl-cache
+        - emptyDir: {}
+          name: tmp
 parameters:
 - name: REGISTRY_IMG
   required: true

diff --git a/pkg/operator/assets/bindata.go b/pkg/operator/assets/bindata.go