NO-ISSUE: Enabled readonlyRootFilesystem by default (#3614)

* Enabled readonlyRootFilesystem by default

* Enable in reconciler as well

* Enable in chart templates

* Fix typo

* Ensure volumes and volumeMount objects exists

* Fixing default rorfs for legacy mode and fix tests

* Only enable rorfs when running as non-root user

* Update tests

* Fix errors

* Update unit tests

Author: dusk125

deploy/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml

@@ -22,9 +22,7 @@ spec:
         seccompProfile:
           type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
-      {{- if or .Values.olm.tlsSecret .Values.olm.clientCASecret }}
       volumes: 
-      {{- end }}
       {{- if .Values.olm.tlsSecret }}
       - name: srv-cert
         secret:
@@ -35,15 +33,16 @@ spec:
         secret:
           secretName: {{ .Values.olm.clientCASecret }}
       {{- end }}
+      - name: tmpfs
+        emptyDir: {}
       containers:
         - name: olm-operator
           securityContext:
             allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
             capabilities:
               drop: [ "ALL" ]
-          {{- if or .Values.olm.tlsSecret .Values.olm.clientCASecret }}
           volumeMounts:
-          {{- end }}
           {{- if .Values.olm.tlsSecret }}
           - name: srv-cert
             mountPath: "/srv-cert"
@@ -54,6 +53,8 @@ spec:
             mountPath: "/profile-collector-cert"
             readOnly: true
           {{- end }}
+          - name: tmpfs
+            mountPath: /tmp
           command:
           - /bin/olm
           args:

deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml

@@ -22,9 +22,7 @@ spec:
         seccompProfile:
           type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
-      {{- if or .Values.catalog.tlsSecret .Values.catalog.clientCASecret }}
       volumes:
-      {{- end }}
       {{- if .Values.catalog.tlsSecret }}
       - name: srv-cert
         secret:
@@ -35,15 +33,16 @@ spec:
         secret:
           secretName: {{ .Values.catalog.clientCASecret }}
       {{- end }}
+      - name: tmpfs
+        emptyDir: {}
       containers:
         - name: catalog-operator
           securityContext:
             allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
             capabilities:
               drop: [ "ALL" ]
-          {{- if or .Values.catalog.tlsSecret .Values.catalog.clientCASecret }}
           volumeMounts:
-          {{- end }}
           {{- if .Values.catalog.tlsSecret }}
           - name: srv-cert
             mountPath: "/srv-cert"
@@ -54,6 +53,8 @@ spec:
             mountPath: "/profile-collector-cert"
             readOnly: true
           {{- end }}
+          - name: tmpfs
+            mountPath: /tmp
           command:
           - /bin/catalog
           args:

deploy/chart/templates/_packageserver.deployment-spec.yaml

@@ -31,6 +31,7 @@ spec:
       - name: packageserver
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           capabilities:
             drop: [ "ALL" ]
         command:

pkg/controller/bundle/bundle_unpacker.go

@@ -154,6 +154,7 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
 							},
 							SecurityContext: &corev1.SecurityContext{
 								AllowPrivilegeEscalation: ptr.To(bool(false)),
+								ReadOnlyRootFilesystem:   ptr.To(true),
 								Capabilities: &corev1.Capabilities{
 									Drop: []corev1.Capability{"ALL"},
 								},
@@ -180,6 +181,7 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
 							},
 							SecurityContext: &corev1.SecurityContext{
 								AllowPrivilegeEscalation: ptr.To(bool(false)),
+								ReadOnlyRootFilesystem:   ptr.To(true),
 								Capabilities: &corev1.Capabilities{
 									Drop: []corev1.Capability{"ALL"},
 								},
@@ -209,6 +211,7 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
 							},
 							SecurityContext: &corev1.SecurityContext{
 								AllowPrivilegeEscalation: ptr.To(bool(false)),
+								ReadOnlyRootFilesystem:   ptr.To(true),
 								Capabilities: &corev1.Capabilities{
 									Drop: []corev1.Capability{"ALL"},
 								},

pkg/controller/bundle/bundle_unpacker_test.go

@@ -308,6 +308,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},
@@ -334,6 +335,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},
@@ -363,6 +365,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},
@@ -524,6 +527,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},
@@ -550,6 +554,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},
@@ -579,6 +584,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},
@@ -780,6 +786,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},
@@ -806,6 +813,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},
@@ -835,6 +843,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},
@@ -1031,6 +1040,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},
@@ -1057,6 +1067,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},
@@ -1086,6 +1097,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},
@@ -1252,6 +1264,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},
@@ -1278,6 +1291,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},
@@ -1307,6 +1321,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},
@@ -1486,6 +1501,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},
@@ -1512,6 +1528,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},
@@ -1541,6 +1558,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 											},
 											SecurityContext: &corev1.SecurityContext{
 												AllowPrivilegeEscalation: ptr.To(bool(false)),
+												ReadOnlyRootFilesystem:   ptr.To(true),
 												Capabilities: &corev1.Capabilities{
 													Drop: []corev1.Capability{"ALL"},
 												},

pkg/controller/registry/reconciler/reconciler.go

@@ -293,6 +293,9 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name, opmImg, utilImage, img s
 				Args:                     []string{"/bin/copy-content", fmt.Sprintf("%s/copy-content", utilitiesPath)},
 				VolumeMounts:             []corev1.VolumeMount{utilitiesVolumeMount},
 				TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
+				SecurityContext: &corev1.SecurityContext{
+					ReadOnlyRootFilesystem: ptr.To(true),
+				},
 			}, corev1.Container{
 				Name:                     "extract-content",
 				Image:                    img,
@@ -301,8 +304,12 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name, opmImg, utilImage, img s
 				Args:                     extractArgs,
 				VolumeMounts:             []corev1.VolumeMount{utilitiesVolumeMount, contentVolumeMount},
 				TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
+				SecurityContext: &corev1.SecurityContext{
+					ReadOnlyRootFilesystem: ptr.To(true),
+				},
 			})
 
+			pod.Spec.Containers[0].SecurityContext.ReadOnlyRootFilesystem = ptr.To(true)
 			pod.Spec.Containers[0].Image = opmImg
 			pod.Spec.Containers[0].Command = []string{"/bin/opm"}
 			pod.Spec.Containers[0].ImagePullPolicy = image.InferImagePullPolicy(opmImg)
@@ -356,6 +363,16 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name, opmImg, utilImage, img s
 }
 
 func addSecurityContext(pod *corev1.Pod, runAsUser int64) {
+	pod.Spec.SecurityContext = &corev1.PodSecurityContext{
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+	}
+	if runAsUser > 0 {
+		pod.Spec.SecurityContext.RunAsUser = &runAsUser
+		pod.Spec.SecurityContext.RunAsNonRoot = ptr.To(true)
+	}
+
 	for i := range pod.Spec.InitContainers {
 		if pod.Spec.InitContainers[i].SecurityContext == nil {
 			pod.Spec.InitContainers[i].SecurityContext = &corev1.SecurityContext{}
@@ -374,16 +391,6 @@ func addSecurityContext(pod *corev1.Pod, runAsUser int64) {
 			Drop: []corev1.Capability{"ALL"},
 		}
 	}
-
-	pod.Spec.SecurityContext = &corev1.PodSecurityContext{
-		SeccompProfile: &corev1.SeccompProfile{
-			Type: corev1.SeccompProfileTypeRuntimeDefault,
-		},
-	}
-	if runAsUser > 0 {
-		pod.Spec.SecurityContext.RunAsUser = &runAsUser
-		pod.Spec.SecurityContext.RunAsNonRoot = ptr.To(true)
-	}
 }
 
 // getDefaultPodContextConfig returns Restricted if the defaultNamespace has the 'pod-security.kubernetes.io/enforce' label	set to 'restricted',