OSDOCS 6914: Updating pod examples to comply with restricted PSA (Nodes book)

Author: bergerhoffer

modules/nodes-cluster-resource-configure-request-limit.adoc

@@ -22,6 +22,10 @@ kind: Pod
 metadata:
   name: test
 spec:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
   containers:
   - name: test
     image: fedora:latest
@@ -44,6 +48,10 @@ spec:
         memory: 384Mi
       limits:
         memory: 512Mi
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: [ALL]
 ----
 <1> Add this stanza to discover the application memory request value.
 <2> Add this stanza to discover the application memory limit value.

modules/nodes-cluster-resource-levels-command.adoc

@@ -31,6 +31,10 @@ metadata:
     app: guestbook
     tier: frontend
 spec:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
   containers:
   - name: php-redis
     image: gcr.io/google-samples/gb-frontend:v4
@@ -42,6 +46,10 @@ spec:
       requests:
         cpu: 150m
         memory: 100Mi
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: [ALL]
 ----
 
 .. Create the cluster role:

modules/nodes-cluster-resource-levels-job.adoc

@@ -87,6 +87,10 @@ metadata:
     app: guestbook
     tier: frontend
 spec:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
   containers:
   - name: php-redis
     image: gcr.io/google-samples/gb-frontend:v4
@@ -98,6 +102,10 @@ spec:
       requests:
         cpu: 150m
         memory: 100Mi
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: [ALL]
 ----
 
 .. Create the pod by running the following command:

modules/nodes-containers-downward-api-container-configmaps.adoc

@@ -43,6 +43,10 @@ kind: Pod
 metadata:
   name: dapi-env-test-pod
 spec:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
   containers:
     - name: env-test-container
       image: gcr.io/google_containers/busybox
@@ -53,6 +57,10 @@ spec:
             configMapKeyRef:
               name: myconfigmap
               key: mykey
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop: [ALL]
   restartPolicy: Always
 # ...
 ----

modules/nodes-containers-downward-api-container-envars.adoc

@@ -24,6 +24,10 @@ kind: Pod
 metadata:
   name: dapi-env-test-pod
 spec:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
   containers:
     - name: env-test-container
       image: gcr.io/google_containers/busybox
@@ -33,6 +37,10 @@ spec:
           value: my_value
         - name: MY_ENV_VAR_REF_ENV
           value: $(MY_EXISTING_ENV)
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop: [ALL]
   restartPolicy: Never
 # ...
 ----

modules/nodes-containers-downward-api-container-escaping.adoc

@@ -23,13 +23,21 @@ kind: Pod
 metadata:
   name: dapi-env-test-pod
 spec:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
   containers:
     - name: env-test-container
       image: gcr.io/google_containers/busybox
       command: [ "/bin/sh", "-c", "env" ]
       env:
         - name: MY_NEW_ENV
           value: $$(SOME_OTHER_ENV)
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop: [ALL]
   restartPolicy: Never
 # ...
 ----

modules/nodes-containers-downward-api-container-secrets.adoc

@@ -46,6 +46,10 @@ kind: Pod
 metadata:
   name: dapi-env-test-pod
 spec:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
   containers:
     - name: env-test-container
       image: gcr.io/google_containers/busybox
@@ -56,6 +60,10 @@ spec:
             secretKeyRef:
               name: mysecret
               key: username
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop: [ALL]
   restartPolicy: Never
 # ...
 ----

modules/nodes-containers-downward-api-container-values-envars.adoc

@@ -31,6 +31,10 @@ kind: Pod
 metadata:
   name: dapi-env-test-pod
 spec:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
   containers:
     - name: env-test-container
       image: gcr.io/google_containers/busybox
@@ -44,6 +48,10 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop: [ALL]
   restartPolicy: Never
 # ...
 ----

modules/nodes-containers-downward-api-container-values-plugin.adoc

@@ -40,6 +40,10 @@ metadata:
     annotation1: "345"
     annotation2: "456"
 spec:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
   containers:
     - name: volume-test-container
       image: gcr.io/google_containers/busybox
@@ -48,6 +52,10 @@ spec:
         - name: podinfo
           mountPath: /tmp/etc
           readOnly: false
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop: [ALL]
   volumes:
   - name: podinfo
     downwardAPI:

modules/nodes-containers-init-creating.adoc

@@ -23,18 +23,33 @@ metadata:
   labels:
     app: myapp
 spec:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
   containers:
   - name: myapp-container
     image: registry.access.redhat.com/ubi9/ubi:latest
     command: ['sh', '-c', 'echo The app is running! && sleep 3600']
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: [ALL]
   initContainers:
   - name: init-myservice
     image: registry.access.redhat.com/ubi9/ubi:latest
     command: ['sh', '-c', 'until getent hosts myservice; do echo waiting for myservice; sleep 2; done;']
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: [ALL]
   - name: init-mydb
     image: registry.access.redhat.com/ubi9/ubi:latest
     command: ['sh', '-c', 'until getent hosts mydb; do echo waiting for mydb; sleep 2; done;']
-# ...
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: [ALL]
 ----
 
 .. Create the pod: