From 3a4b944530712dc8ea5cbfc670940ec65dc093bb Mon Sep 17 00:00:00 2001
From: Zhiwei Yin <zyin@redhat.com>
Date: Wed, 6 Dec 2023 21:52:10 +0800
Subject: [PATCH] update deployment securityContext

Signed-off-by: Zhiwei Yin <zyin@redhat.com>
---
 .../templates/manager-deployment.yaml         |  8 ++++++++
 .../templates/addon-agent-deployment.yaml     | 16 ++++++++++++++++
 pkg/proxyserver/controllers/manifests.go      | 19 +++++++++++++++++++
 3 files changed, 43 insertions(+)

diff --git a/charts/cluster-proxy/templates/manager-deployment.yaml b/charts/cluster-proxy/templates/manager-deployment.yaml
index 1e1c493a..64fed8b2 100644
--- a/charts/cluster-proxy/templates/manager-deployment.yaml
+++ b/charts/cluster-proxy/templates/manager-deployment.yaml
@@ -24,3 +24,11 @@ spec:
             - --leader-elect=true
             - --signer-secret-namespace={{ .Release.Namespace }}
             - --agent-install-all=true
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
diff --git a/pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-deployment.yaml b/pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-deployment.yaml
index ef6dcba5..4fbeb26d 100644
--- a/pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-deployment.yaml
+++ b/pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-deployment.yaml
@@ -51,6 +51,14 @@ spec:
             {{- range .Values.additionalProxyAgentArgs }}
             - {{ . }}
             {{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
           volumeMounts:
             - name: ca
               mountPath: /etc/ca
@@ -75,6 +83,14 @@ spec:
             {{- range .Values.addonAgentArgs }}
             - {{ . }}
             {{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
           volumeMounts:
             - name: hub-kubeconfig
               mountPath: /etc/kubeconfig/
diff --git a/pkg/proxyserver/controllers/manifests.go b/pkg/proxyserver/controllers/manifests.go
index f44fdc2e..4864b1db 100644
--- a/pkg/proxyserver/controllers/manifests.go
+++ b/pkg/proxyserver/controllers/manifests.go
@@ -126,6 +126,15 @@ func newProxyServerDeployment(config *proxyv1alpha1.ManagedProxyConfiguration) *
 								"--cluster-cert=/etc/agent-pki/tls.crt",
 								"--cluster-key=/etc/agent-pki/tls.key",
 							}, config.Spec.ProxyServer.AdditionalArgs...),
+							SecurityContext: &corev1.SecurityContext{
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"ALL"},
+								},
+								Privileged:               falsePtr(),
+								RunAsNonRoot:             truePtr(),
+								ReadOnlyRootFilesystem:   truePtr(),
+								AllowPrivilegeEscalation: falsePtr(),
+							},
 							VolumeMounts: []corev1.VolumeMount{
 								{
 									Name:      "proxy-server-ca-certs",
@@ -220,3 +229,13 @@ func newProxyServerRoleBinding(config *proxyv1alpha1.ManagedProxyConfiguration)
 	}
 
 }
+
+func truePtr() *bool {
+	t := true
+	return &t
+}
+
+func falsePtr() *bool {
+	t := false
+	return &t
+}