Fix velero container to have explicit ReadOnlyRootFilesystem (#1755)

Current velero container does not use explicit ReadOnlyRootFilesystem
flag set to true.

The root filesystem is not writeable by the velero user, however it's
not explicitly set as ReadOnlyRootFilesystem.

This PR fixes it.

Signed-off-by: Michal Pryc <[email protected]>

Author: mpryc

internal/controller/velero.go

@@ -272,6 +272,18 @@ func (r *DataProtectionApplicationReconciler) customizeVeleroDeployment(veleroDe
 				EmptyDir: &corev1.EmptyDirVolumeSource{},
 			},
 		},
+		corev1.Volume{
+			Name: "tmp",
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
+		corev1.Volume{
+			Name: "home",
+			VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{},
+			},
+		},
 		// used for short-lived credentials, inert if not used
 		corev1.Volume{
 			Name: "bound-sa-token",
@@ -573,7 +585,31 @@ func (r *DataProtectionApplicationReconciler) customizeVeleroContainer(veleroCon
 			MountPath: "/var/run/secrets/openshift/serviceaccount",
 			ReadOnly:  true,
 		},
+		corev1.VolumeMount{
+			Name:      "tmp",
+			MountPath: "/tmp",
+			ReadOnly:  false,
+		},
+		corev1.VolumeMount{
+			Name:      "home",
+			MountPath: "/home/velero",
+			ReadOnly:  false,
+		},
 	)
+
+	// Ensure the /plugins and /target is ReadOnly
+	for i, mount := range veleroContainer.VolumeMounts {
+		if mount.MountPath == "/plugins" || mount.MountPath == "/target" {
+			veleroContainer.VolumeMounts[i].ReadOnly = true
+		}
+	}
+
+	veleroContainer.SecurityContext = &corev1.SecurityContext{
+		ReadOnlyRootFilesystem:   ptr.To(true),
+		Privileged:               ptr.To(false),
+		AllowPrivilegeEscalation: ptr.To(false),
+	}
+
 	// append velero PodConfig envs to container
 	if dpa.Spec.Configuration != nil && dpa.Spec.Configuration.Velero != nil && dpa.Spec.Configuration.Velero.PodConfig != nil && dpa.Spec.Configuration.Velero.PodConfig.Env != nil {
 		veleroContainer.Env = common.AppendUniqueEnvVars(veleroContainer.Env, dpa.Spec.Configuration.Velero.PodConfig.Env)

internal/controller/velero_test.go

@@ -94,10 +94,12 @@ var (
 	}
 
 	baseVolumeMounts = []corev1.VolumeMount{
-		{Name: "plugins", MountPath: "/plugins"},
+		{Name: "plugins", MountPath: "/plugins", ReadOnly: true},
 		{Name: "scratch", MountPath: "/scratch"},
 		{Name: "certs", MountPath: "/etc/ssl/certs"},
 		{Name: "bound-sa-token", MountPath: "/var/run/secrets/openshift/serviceaccount", ReadOnly: true},
+		{Name: "tmp", MountPath: "/tmp"},
+		{Name: "home", MountPath: "/home/velero"},
 	}
 
 	baseVolumes = []corev1.Volume{
@@ -113,6 +115,14 @@ var (
 			Name:         "certs",
 			VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
 		},
+		{
+			Name:         "tmp",
+			VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
+		},
+		{
+			Name:         "home",
+			VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
+		},
 		{
 			Name: "bound-sa-token",
 			VolumeSource: corev1.VolumeSource{
@@ -417,6 +427,11 @@ func createTestBuiltVeleroDeployment(options TestBuiltVeleroDeploymentOptions) *
 							ImagePullPolicy:          corev1.PullAlways,
 							TerminationMessagePath:   "/dev/termination-log",
 							TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
+							SecurityContext: &corev1.SecurityContext{
+								ReadOnlyRootFilesystem:   ptr.To(true),
+								Privileged:               ptr.To(false),
+								AllowPrivilegeEscalation: ptr.To(false),
+							},
 							Ports: []corev1.ContainerPort{{
 								Name:          "metrics",
 								ContainerPort: 8085,