fix: Security issues (#348)

Signed-off-by: odubajDT <ondrej.dubaj@dynatrace.com>
open-feature · Feb 16, 2023 · 5bd0b19 · 5bd0b19
1 parent a0993dc
commit 5bd0b19
Show file tree

Hide file tree

Showing 8 changed files with 25 additions and 7 deletions.
diff --git a/...ature-operator/templates/apps_v1_deployment_open-feature-operator-controller-manager.yaml b/...ature-operator/templates/apps_v1_deployment_open-feature-operator-controller-manager.yaml
@@ -76,6 +76,7 @@ spec:
               }}'
         securityContext:
           allowPrivilegeEscalation: false
+          runAsNonRoot: true
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: cert
@@ -103,6 +104,9 @@ spec:
               }}'
             memory: '{{ .Values.controllerManager.kubeRbacProxy.resources.requests.memory
               }}'
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
       securityContext:
         runAsNonRoot: true
       serviceAccountName: open-feature-operator-controller-manager

diff --git a/...rbac.authorization.k8s.io_v1_clusterrole_open-feature-operator-flagd-kubernetes-sync.yaml b/...rbac.authorization.k8s.io_v1_clusterrole_open-feature-operator-flagd-kubernetes-sync.yaml
@@ -6,7 +6,8 @@ rules:
 - apiGroups:
   - core.openfeature.dev
   resources:
-  - '*'
+  - flagsourceconfigurations
+  - featureflagconfigurations
   verbs:
   - get
   - watch

diff --git a/...emplates/rbac.authorization.k8s.io_v1_clusterrole_open-feature-operator-manager-role.yaml b/...emplates/rbac.authorization.k8s.io_v1_clusterrole_open-feature-operator-manager-role.yaml
@@ -91,6 +91,9 @@ rules:
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
-  - '*'
+  - clusterrolebindings
   verbs:
-  - '*'
+  - get
+  - list
+  - update
+  - watch
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
@@ -27,10 +27,16 @@ spec:
           requests:
             cpu: 5m
             memory: 64Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
       - name: manager
         args:
         - "--health-probe-bind-address=:8081"
         - "--metrics-bind-address=127.0.0.1:8080"
         - "--leader-elect"
         - "--sidecar-cpu-limit=0.5" # cores
         - "--sidecar-ram-limit=64M"
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -38,6 +38,7 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
+          runAsNonRoot: true
         livenessProbe:
           httpGet:
             path: /healthz

diff --git a/config/rbac/flagd_kubernetes_sync_clusterrole.yaml b/config/rbac/flagd_kubernetes_sync_clusterrole.yaml
@@ -5,5 +5,5 @@ metadata:
   name: flagd-kubernetes-sync
 rules:
 - apiGroups: ["core.openfeature.dev"] 
-  resources: ["*"]
+  resources: ["flagsourceconfigurations", "featureflagconfigurations"]
   verbs: ["get", "watch", "list"]
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -92,6 +92,9 @@ rules:
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
-  - '*'
+  - clusterrolebindings
   verbs:
-  - '*'
+  - get
+  - list
+  - update
+  - watch
diff --git a/webhooks/pod_webhook.go b/webhooks/pod_webhook.go
@@ -38,7 +38,7 @@ const (
 //+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:webhook:path=/mutate-v1-pod,mutating=true,failurePolicy=Ignore,groups="",resources=pods,verbs=create;update,versions=v1,name=mutate.openfeature.dev,admissionReviewVersions=v1,sideEffects=NoneOnDryRun
 //+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;
-//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=*,verbs=*;
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;list;watch;update;
 
 // PodMutator annotates Pods
 type PodMutator struct {