fix: controller and sidecar containers run as non-root (#225)

jbattiato · leonardoce · web-flow · commit 5788c1f72794 · 2025-03-23T17:00:52.000+01:00
Closes #177 Signed-off-by: Jonathan Battiato <jonathan.battiato@enterprisedb.com> Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com> Co-authored-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
diff --git a/internal/cnpgi/operator/lifecycle.go b/internal/cnpgi/operator/lifecycle.go
@@ -299,6 +299,18 @@ func reconcilePodSpec(
 	sidecarConfig.Image = viper.GetString("sidecar-image")
 	sidecarConfig.ImagePullPolicy = cluster.Spec.ImagePullPolicy
 	sidecarConfig.StartupProbe = baseProbe.DeepCopy()
+	sidecarConfig.SecurityContext = &corev1.SecurityContext{
+		AllowPrivilegeEscalation: ptr.To(false),
+		RunAsNonRoot:             ptr.To(true),
+		Privileged:               ptr.To(false),
+		ReadOnlyRootFilesystem:   ptr.To(true),
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+	}
 
 	// merge the main container envs if they aren't already set
 	for _, container := range spec.Containers {
diff --git a/kubernetes/deployment.yaml b/kubernetes/deployment.yaml
@@ -16,6 +16,10 @@ spec:
       labels:
         app: barman-cloud
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: plugin-barman-cloud
       containers:
       - image: plugin-barman-cloud:latest
@@ -48,6 +52,16 @@ spec:
         - mountPath: /client
           name: client
         resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 10001
+          runAsUser: 10001
+          seccompProfile:
+            type: RuntimeDefault
       volumes:
       - name: server
         secret:
diff --git a/manifest.yaml b/manifest.yaml
@@ -871,11 +871,25 @@ spec:
           tcpSocket:
             port: 9090
         resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 10001
+          runAsUser: 10001
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
         - mountPath: /server
           name: server
         - mountPath: /client
           name: client
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: plugin-barman-cloud
       volumes:
       - name: server
