Skip to content

Commit e2dd97b

Browse files
dusk125dusk125
committed
Only enable rorfs when running as non-root user
1 parent a70ccda commit e2dd97b

File tree

1 file changed

+12
-12
lines changed

1 file changed

+12
-12
lines changed

pkg/controller/registry/reconciler/reconciler.go

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -356,12 +356,22 @@ func Pod(source *operatorsv1alpha1.CatalogSource, name, opmImg, utilImage, img s
356356
}
357357

358358
func addSecurityContext(pod *corev1.Pod, runAsUser int64) {
359+
pod.Spec.SecurityContext = &corev1.PodSecurityContext{
360+
SeccompProfile: &corev1.SeccompProfile{
361+
Type: corev1.SeccompProfileTypeRuntimeDefault,
362+
},
363+
}
364+
if runAsUser > 0 {
365+
pod.Spec.SecurityContext.RunAsUser = &runAsUser
366+
pod.Spec.SecurityContext.RunAsNonRoot = ptr.To(true)
367+
}
368+
359369
for i := range pod.Spec.InitContainers {
360370
if pod.Spec.InitContainers[i].SecurityContext == nil {
361371
pod.Spec.InitContainers[i].SecurityContext = &corev1.SecurityContext{}
362372
}
363373
pod.Spec.InitContainers[i].SecurityContext.AllowPrivilegeEscalation = ptr.To(false)
364-
pod.Spec.InitContainers[i].SecurityContext.ReadOnlyRootFilesystem = ptr.To(true)
374+
pod.Spec.InitContainers[i].SecurityContext.ReadOnlyRootFilesystem = pod.Spec.SecurityContext.RunAsNonRoot
365375
pod.Spec.InitContainers[i].SecurityContext.Capabilities = &corev1.Capabilities{
366376
Drop: []corev1.Capability{"ALL"},
367377
}
@@ -371,21 +381,11 @@ func addSecurityContext(pod *corev1.Pod, runAsUser int64) {
371381
pod.Spec.Containers[i].SecurityContext = &corev1.SecurityContext{}
372382
}
373383
pod.Spec.Containers[i].SecurityContext.AllowPrivilegeEscalation = ptr.To(false)
374-
pod.Spec.Containers[i].SecurityContext.ReadOnlyRootFilesystem = ptr.To(true)
384+
pod.Spec.Containers[i].SecurityContext.ReadOnlyRootFilesystem = pod.Spec.SecurityContext.RunAsNonRoot
375385
pod.Spec.Containers[i].SecurityContext.Capabilities = &corev1.Capabilities{
376386
Drop: []corev1.Capability{"ALL"},
377387
}
378388
}
379-
380-
pod.Spec.SecurityContext = &corev1.PodSecurityContext{
381-
SeccompProfile: &corev1.SeccompProfile{
382-
Type: corev1.SeccompProfileTypeRuntimeDefault,
383-
},
384-
}
385-
if runAsUser > 0 {
386-
pod.Spec.SecurityContext.RunAsUser = &runAsUser
387-
pod.Spec.SecurityContext.RunAsNonRoot = ptr.To(true)
388-
}
389389
}
390390

391391
// getDefaultPodContextConfig returns Restricted if the defaultNamespace has the 'pod-security.kubernetes.io/enforce' label set to 'restricted',

0 commit comments

Comments
 (0)