Merge pull request #1850 from yiannistri/52501-hardened

fix: Set `securityContext` field to Turtles controller and hooks manifests

Author: alexander-demicev

charts/rancher-turtles/templates/clusterctl-cm-cleanup-job.yaml

@@ -62,5 +62,14 @@ spec:
           - --namespace={{ .Values.namespace }}
           - clusterctl-config
           - --ignore-not-found=true
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            runAsNonRoot: true
+            runAsUser: 1000
       restartPolicy: Never
 {{- end }}

charts/rancher-turtles/templates/core-provider.yaml

@@ -1,14 +1,9 @@
 {{- if index .Values "cluster-api-operator" "cluster-api" "enabled" }}
-{{- $namespace := index .Values "cluster-api-operator" "cluster-api" "core" "namespace" }}
-{{- if not (lookup "v1" "Namespace" "" $namespace) }}
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
-  annotations:
-    "helm.sh/hook-weight": "1"
   name: {{ index .Values "cluster-api-operator" "cluster-api" "core" "namespace" }}
-{{- end }}
 ---
 apiVersion: turtles-capi.cattle.io/v1alpha1
 kind: CAPIProvider

charts/rancher-turtles/templates/deployment.yaml

@@ -75,6 +75,15 @@ spec:
         volumeMounts:
         {{- toYaml . | nindent 12 }}
         {{- end }}
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsNonRoot: true
+          runAsUser: 65532
       serviceAccountName: rancher-turtles-manager
       terminationGracePeriodSeconds: 10
       {{- with .Values.volumes }}

charts/rancher-turtles/templates/post-delete-job.yaml

@@ -69,6 +69,15 @@ spec:
           - mutatingwebhookconfigurations.admissionregistration.k8s.io
           - capi-mutating-webhook-configuration
           - --ignore-not-found=true
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            runAsNonRoot: true
+            runAsUser: 1000
       restartPolicy: Never
 ---
 apiVersion: batch/v1
@@ -93,6 +102,15 @@ spec:
           - validatingwebhookconfigurations.admissionregistration.k8s.io
           - capi-validating-webhook-configuration
           - --ignore-not-found=true
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            runAsNonRoot: true
+            runAsUser: 1000
       restartPolicy: Never
 ---
 apiVersion: batch/v1
@@ -119,4 +137,13 @@ spec:
         - -n
         - {{ index .Values "cluster-api-operator" "cluster-api" "core" "namespace" }}
         - --ignore-not-found=true
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsNonRoot: true
+          runAsUser: 1000
 {{- end }}

charts/rancher-turtles/templates/post-upgrade-job.yaml

@@ -112,6 +112,15 @@ spec:
           args:
           - "-c"
           - "/scripts/cleanup.sh"
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            runAsNonRoot: true
+            runAsUser: 1000
           volumeMounts:
             - name: script
               mountPath: /scripts

charts/rancher-turtles/templates/pre-delete-job.yaml

@@ -65,5 +65,14 @@ spec:
           - {{ index .Values "cluster-api-operator" "cluster-api" "core" "namespace" }}
           - --ignore-not-found=true
           - --cascade=foreground
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            runAsNonRoot: true
+            runAsUser: 1000
       restartPolicy: Never
 {{- end }}