[release-1.8] Added security context to source receive adapter pod (#962)

* added security context to source receive adapter pod

* fixed tests

Co-authored-by: gabriel <[email protected]>

Author: knative-prow-robot

pkg/reconciler/source/resources/receive_adapter.go

@@ -28,6 +28,7 @@ import (
 	"knative.dev/eventing-rabbitmq/pkg/apis/sources/v1alpha1"
 	eventingduckv1 "knative.dev/eventing/pkg/apis/duck/v1"
 	"knative.dev/pkg/kmeta"
+	"knative.dev/pkg/ptr"
 )
 
 type ReceiveAdapterArgs struct {
@@ -168,17 +169,23 @@ func MakeReceiveAdapter(args *ReceiveAdapterArgs) *v1.Deployment {
 				},
 				Spec: corev1.PodSpec{
 					ServiceAccountName: args.Source.Spec.ServiceAccountName,
-					Containers: []corev1.Container{
-						{
-							Name:            "receive-adapter",
-							Image:           args.Image,
-							ImagePullPolicy: "IfNotPresent",
-							Env:             env,
-							// This resource requests and limits comes from performance testing 1500msgs/s with a parallelism of 1000
-							// more info in this issue: https://github.com/knative-sandbox/eventing-rabbitmq/issues/703
-							Resources: args.ResourceRequirements,
+					Containers: []corev1.Container{{
+						Name:            "receive-adapter",
+						Image:           args.Image,
+						ImagePullPolicy: "IfNotPresent",
+						Env:             env,
+						// This resource requests and limits comes from performance testing 1500msgs/s with a parallelism of 1000
+						// more info in this issue: https://github.com/knative-sandbox/eventing-rabbitmq/issues/703
+						Resources: args.ResourceRequirements,
+						SecurityContext: &corev1.SecurityContext{
+							AllowPrivilegeEscalation: ptr.Bool(false),
+							ReadOnlyRootFilesystem:   ptr.Bool(true),
+							RunAsNonRoot:             ptr.Bool(true),
+							Capabilities: &corev1.Capabilities{
+								Drop: []corev1.Capability{"all"},
+							},
 						},
-					},
+					}},
 				},
 			},
 		},

pkg/reconciler/source/resources/receive_adapter_test.go

@@ -26,6 +26,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	v1alpha12 "knative.dev/eventing-rabbitmq/pkg/apis/sources/v1alpha1"
 	eventingduckv1 "knative.dev/eventing/pkg/apis/duck/v1"
+	"knative.dev/pkg/ptr"
 )
 
 const (
@@ -153,6 +154,14 @@ func TestMakeReceiveAdapter(t *testing.T) {
 											corev1.ResourceCPU:    resource.MustParse("4000m"),
 											corev1.ResourceMemory: resource.MustParse("600Mi")},
 									},
+									SecurityContext: &corev1.SecurityContext{
+										AllowPrivilegeEscalation: ptr.Bool(false),
+										ReadOnlyRootFilesystem:   ptr.Bool(true),
+										RunAsNonRoot:             ptr.Bool(true),
+										Capabilities: &corev1.Capabilities{
+											Drop: []corev1.Capability{"all"},
+										},
+									},
 									VolumeMounts: []corev1.VolumeMount{
 										{
 											MountPath: "/etc/ssl/certs/",