Merge pull request #2700 from camilamacedo86/containers-created-with-restrictive

⚠️ (go/v3): applying restrictive SCC for all containers scaffolded by the tool (k8s versions < 1.19 does not work with)

Author: k8s-ci-robot

pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go

@@ -55,6 +55,11 @@ spec:
     spec:
       containers:
       - name: kube-rbac-proxy
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"

pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/manager/config.go

@@ -72,6 +72,8 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - command:
         - /manager
@@ -83,6 +85,9 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
         livenessProbe:
           httpGet:
             path: /healthz

pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/kdefault/manager_auth_proxy_patch.go

@@ -55,6 +55,11 @@ spec:
     spec:
       containers:
       - name: kube-rbac-proxy
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"

pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/manager/config.go

@@ -72,6 +72,8 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - command:
         - /manager
@@ -83,6 +85,9 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
         livenessProbe:
           httpGet:
             path: /healthz

test/e2e/v3/plugin_cluster_test.go

@@ -84,7 +84,7 @@ var _ = Describe("kubebuilder", func() {
 				kbc.UninstallCertManager(true)
 			})
 
-			It("should generate a runnable project", func() {
+			It("should generate a runnable project go/v2 with default SA", func() {
 				// go/v3 uses a unqiue-per-project service account name,
 				// while go/v2 still uses "default".
 				tmp := kbc.Kubectl.ServiceAccount
@@ -106,30 +106,39 @@ var _ = Describe("kubebuilder", func() {
 				kbc.UninstallCertManager(false)
 			})
 
-			It("should generate a runnable project", func() {
+			It("should generate a runnable project go/v3 with v1 CRDs and Webhooks", func() {
 				// Skip if cluster version < 1.16, when v1 CRDs and webhooks did not exist.
-				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 17 {
-					Skip(fmt.Sprintf("cluster version %s does not support v1 CRDs or webhooks", srvVer.GitVersion))
+				// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19
+				// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced
+				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 19 {
+					Skip(fmt.Sprintf("cluster version %s does not support v1 CRDs or webhooks"+
+						"and securityContext.seccompProfile", srvVer.GitVersion))
 				}
 
 				GenerateV3(kbc, "v1")
 				Run(kbc)
 			})
 			It("should generate a runnable project with the golang base plugin v3 and kustomize v4-alpha", func() {
 				// Skip if cluster version < 1.16, when v1 CRDs and webhooks did not exist.
-				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 17 {
-					Skip(fmt.Sprintf("cluster version %s does not support v1 CRDs or webhooks", srvVer.GitVersion))
+				// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19
+				// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced
+				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 19 {
+					Skip(fmt.Sprintf("cluster version %s does not support v1 CRDs or webhooks "+
+						"and securityContext.seccompProfile", srvVer.GitVersion))
 				}
 
 				GenerateV3WithKustomizeV2(kbc, "v1")
 				Run(kbc)
 			})
 			It("should generate a runnable project with v1beta1 CRDs and Webhooks", func() {
 				// Skip if cluster version < 1.15, when `.spec.preserveUnknownFields` was not a v1beta1 CRD field.
+				// Skip if cluster version < 1.19, because securityContext.seccompProfile only works from 1.19
+				// Otherwise, unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext will be faced
 				// Skip if cluster version >= 1.22 because pre v1 CRDs and webhooks no longer exist.
-				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 16 ||
+				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() < 19 ||
 					srvVer.GetMajorInt() <= 1 && srvVer.GetMinorInt() >= 22 {
-					Skip(fmt.Sprintf("cluster version %s does not support project defaults", srvVer.GitVersion))
+					Skip(fmt.Sprintf("cluster version %s does not support project defaults "+
+						"and securityContext.seccompProfile", srvVer.GitVersion))
 				}
 
 				GenerateV3(kbc, "v1beta1")

testdata/project-v3-addon/config/default/manager_auth_proxy_patch.yaml

@@ -10,6 +10,11 @@ spec:
     spec:
       containers:
       - name: kube-rbac-proxy
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"

testdata/project-v3-addon/config/manager/manager.yaml

@@ -26,6 +26,8 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - command:
         - /manager
@@ -35,6 +37,9 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
         livenessProbe:
           httpGet:
             path: /healthz

testdata/project-v3-config/config/default/manager_auth_proxy_patch.yaml

@@ -10,6 +10,11 @@ spec:
     spec:
       containers:
       - name: kube-rbac-proxy
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"

testdata/project-v3-config/config/manager/manager.yaml

@@ -26,13 +26,18 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - command:
         - /manager
         image: controller:latest
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
         livenessProbe:
           httpGet:
             path: /healthz

testdata/project-v3-multigroup/config/default/manager_auth_proxy_patch.yaml

@@ -10,6 +10,11 @@ spec:
     spec:
       containers:
       - name: kube-rbac-proxy
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"