fix: controller and sidecar containers run as non-root

jbattiato · jbattiato · commit c138c17ef0c6 · 2025-03-21T15:16:03.000+01:00
Signed-off-by: Jonathan Battiato &lt;jonathan.battiato@enterprisedb.com&gt;
diff --git a/internal/cnpgi/operator/lifecycle.go b/internal/cnpgi/operator/lifecycle.go
@@ -296,6 +296,18 @@ func reconcilePodSpec(
 	sidecarConfig.Image = viper.GetString("sidecar-image")
 	sidecarConfig.ImagePullPolicy = cluster.Spec.ImagePullPolicy
 	sidecarConfig.StartupProbe = baseProbe.DeepCopy()
+	sidecarConfig.SecurityContext = &corev1.SecurityContext{
+		AllowPrivilegeEscalation: ptr.To(false),
+		RunAsNonRoot:             ptr.To(true),
+		Privileged:               ptr.To(false),
+		ReadOnlyRootFilesystem:   ptr.To(true),
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+	}
 
 	// merge the main container envs if they aren't already set
 	for _, container := range spec.Containers {
diff --git a/kubernetes/deployment.yaml b/kubernetes/deployment.yaml
@@ -16,6 +16,10 @@ spec:
       labels:
         app: barman-cloud
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: plugin-barman-cloud
       containers:
       - image: plugin-barman-cloud:latest
@@ -48,6 +52,16 @@ spec:
         - mountPath: /client
           name: client
         resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 10001
+          runAsUser: 10001
+          seccompProfile:
+            type: RuntimeDefault
       volumes:
       - name: server
         secret:
