From 9bb79c34d2e6a6a7dc4f593e3884e98e9dad1afe Mon Sep 17 00:00:00 2001
From: Rohan Desai <rohan@responsive.dev>
Date: Wed, 13 Dec 2023 13:49:01 -0800
Subject: [PATCH] fix vulnerabilities in our operator image/chart

- add a security context to the chart
- bump debian to 12 (bookworm)
- only install java into the final image
---
 operator/docker/Dockerfile                       | 12 +++++++++++-
 operator/src/main/helm/templates/deployment.yaml |  6 ++++++
 operator/src/main/helm/values.yaml               | 11 +++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/operator/docker/Dockerfile b/operator/docker/Dockerfile
index 52f8c35b2..0f7af5f53 100644
--- a/operator/docker/Dockerfile
+++ b/operator/docker/Dockerfile
@@ -1,4 +1,5 @@
-FROM debian:11.6
+FROM debian:12.2 as getjava
+LABEL stage=getjava
 
 ARG TARGETPLATFORM
 
@@ -8,10 +9,19 @@ RUN apt install -y wget
 RUN echo $TARGETPLATFORM
 RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then wget https://download.oracle.com/java/21/latest/jdk-21_linux-x64_bin.tar.gz -O jdk-21.tar.gz; fi
 RUN if [ "$TARGETPLATFORM" = "linux/arm64" ]; then wget https://download.oracle.com/java/21/latest/jdk-21_linux-aarch64_bin.tar.gz -O jdk-21.tar.gz; fi
+
+FROM debian:12.2
+LABEL stage=final
+
+COPY --from=getjava jdk-21.tar.gz jdk-21.tar.gz
+
 RUN mkdir /usr/lib/jvm && tar zxvf jdk-21.tar.gz --directory /usr/lib/jvm
 RUN update-alternatives --install /usr/bin/java java /usr/lib/jvm/jdk-21.0.1/bin/java 1
 
 COPY libs/*.jar /usr/share/java/responsive-operator/
 COPY scripts/* /
 
+RUN groupadd -g 2000 responsive && useradd -g 2000 responsive-operator
+USER responsive-operator:responsive
+
 CMD /run-operator
diff --git a/operator/src/main/helm/templates/deployment.yaml b/operator/src/main/helm/templates/deployment.yaml
index e2af39c59..6e3ca27ec 100644
--- a/operator/src/main/helm/templates/deployment.yaml
+++ b/operator/src/main/helm/templates/deployment.yaml
@@ -21,6 +21,8 @@ spec:
       labels:
         app: responsiveoperator
     spec:
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -43,6 +45,8 @@ spec:
                 value: {{ .Values.operatorOpts }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 10 }}
           volumeMounts:
             - name: cfg
               mountPath: /etc/responsive-operator/
@@ -57,11 +61,13 @@ spec:
           secret:
             secretName: {{ .Values.controllerSecret }}
             optional: true
+            defaultMode: 0444
         {{- if ne .Values.logging.kafka.keySecret "" }}
         - name: logging-kafka-key
           secret:
             secretName: {{ .Values.logging.kafka.keySecret }}
             optional: true
+            defaultMode: 0444
         {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
diff --git a/operator/src/main/helm/values.yaml b/operator/src/main/helm/values.yaml
index 826bc5b51..d528951b0 100644
--- a/operator/src/main/helm/values.yaml
+++ b/operator/src/main/helm/values.yaml
@@ -35,6 +35,17 @@ controllerEndpoint: dns:///controller:4242
 
 controllerSecret: ctl-secret
 
+securityContext:
+  capabilities:
+    add: ["NET_ADMIN", "SYS_TIME"]
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+
+podSecurityContext:
+  runAsRoot: false
+  seccompProfile:
+    type: RuntimeDefault
+
 podAnnotations: {}
 
 resources: {}