fix vulnerabilities in our operator image/chart

- add a security context to the chart - bump debian to 12 (bookworm) - only install java into the final image
responsivedev · Dec 13, 2023 · 9bb79c3 · 9bb79c3
1 parent 6139222
commit 9bb79c3
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 1 deletion.
diff --git a/operator/docker/Dockerfile b/operator/docker/Dockerfile
@@ -1,4 +1,5 @@
-FROM debian:11.6
+FROM debian:12.2 as getjava
+LABEL stage=getjava
 
 ARG TARGETPLATFORM
 
@@ -8,10 +9,19 @@ RUN apt install -y wget
 RUN echo $TARGETPLATFORM
 RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then wget https://download.oracle.com/java/21/latest/jdk-21_linux-x64_bin.tar.gz -O jdk-21.tar.gz; fi
 RUN if [ "$TARGETPLATFORM" = "linux/arm64" ]; then wget https://download.oracle.com/java/21/latest/jdk-21_linux-aarch64_bin.tar.gz -O jdk-21.tar.gz; fi
+
+FROM debian:12.2
+LABEL stage=final
+
+COPY --from=getjava jdk-21.tar.gz jdk-21.tar.gz
+
 RUN mkdir /usr/lib/jvm && tar zxvf jdk-21.tar.gz --directory /usr/lib/jvm
 RUN update-alternatives --install /usr/bin/java java /usr/lib/jvm/jdk-21.0.1/bin/java 1
 
 COPY libs/*.jar /usr/share/java/responsive-operator/
 COPY scripts/* /
 
+RUN groupadd -g 2000 responsive && useradd -g 2000 responsive-operator
+USER responsive-operator:responsive
+
 CMD /run-operator
diff --git a/operator/src/main/helm/templates/deployment.yaml b/operator/src/main/helm/templates/deployment.yaml
@@ -21,6 +21,8 @@ spec:
       labels:
         app: responsiveoperator
     spec:
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -43,6 +45,8 @@ spec:
                 value: {{ .Values.operatorOpts }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 10 }}
           volumeMounts:
             - name: cfg
               mountPath: /etc/responsive-operator/
@@ -57,11 +61,13 @@ spec:
           secret:
             secretName: {{ .Values.controllerSecret }}
             optional: true
+            defaultMode: 0444
         {{- if ne .Values.logging.kafka.keySecret "" }}
         - name: logging-kafka-key
           secret:
             secretName: {{ .Values.logging.kafka.keySecret }}
             optional: true
+            defaultMode: 0444
         {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:

diff --git a/operator/src/main/helm/values.yaml b/operator/src/main/helm/values.yaml
@@ -35,6 +35,17 @@ controllerEndpoint: dns:///controller:4242
 
 controllerSecret: ctl-secret
 
+securityContext:
+  capabilities:
+    add: ["NET_ADMIN", "SYS_TIME"]
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+
+podSecurityContext:
+  runAsRoot: false
+  seccompProfile:
+    type: RuntimeDefault
+
 podAnnotations: {}
 
 resources: {}