Use restricted pod security level (#204)

Signed-off-by: Tamal Saha <[email protected]>

charts/kubevault-operator/values.yaml

@@ -29,19 +29,22 @@ operator:
   repository: vault-operator
   # KubeVault operator container image tag
   tag: ""
+  # Security options this container should run with
+  securityContext: # +doc-gen:break
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["ALL"]
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 65534
+    seccompProfile:
+      type: RuntimeDefault
   # Compute Resources required by the operator container
   resources: {}
   # requests:
   #   cpu: 100m
   #   memory: 128Mi
-  # Security options the operator container should run with
-  securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+
 # Specify an array of imagePullSecrets.
 # Secrets must be manually created in the namespace.
 #

charts/kubevault-webhook-server/values.yaml

@@ -29,19 +29,22 @@ server:
   repository: vault-operator
   # KubeVault webhook server container image tag
   tag: ""
+  # Security options this container should run with
+  securityContext: # +doc-gen:break
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["ALL"]
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 65534
+    seccompProfile:
+      type: RuntimeDefault
   # Compute Resources required by the webhook server container
   resources: {}
   # requests:
   #   cpu: 100m
   #   memory: 128Mi
-  # Security options the webhook server container should run with
-  securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+
 # Specify an array of imagePullSecrets.
 # Secrets must be manually created in the namespace.
 #

go.mod

@@ -18,16 +18,11 @@ require (
 	sigs.k8s.io/yaml v1.3.0
 )
 
-require (
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/stretchr/testify v1.8.3 // indirect
-)
-
 require (
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/gobeam/stringy v0.0.5 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
@@ -36,6 +31,7 @@ require (
 	github.com/huandu/xstrings v1.3.1 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mitchellh/copystructure v1.0.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
@@ -45,6 +41,7 @@ require (
 	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
 	github.com/spf13/cast v1.3.1 // indirect
+	github.com/stretchr/testify v1.8.3 // indirect
 	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
 	golang.org/x/crypto v0.9.0 // indirect
 	golang.org/x/net v0.10.0 // indirect

hack/scripts/ct.sh

@@ -21,9 +21,16 @@ for dir in charts/*/; do
     dir=${dir##*/}
     num_files=$(find charts/${dir}/templates -type f | wc -l)
     echo $dir
-    if [ $num_files -le 1 ] || [[ "$dir" = "kubevault" ]] || [[ "$dir" = "secrets-store-reader" ]] || [[ "$dir" =~ "-crds" ]]; then
+    if [ $num_files -le 1 ] ||
+        [[ "$dir" = "kubevault" ]] ||
+        [[ "$dir" = "secrets-store-reader" ]] ||
+        [[ "$dir" =~ "-crds" ]]; then
         make ct CT_COMMAND=lint TEST_CHARTS=charts/$dir
     else
-        make ct TEST_CHARTS=charts/$dir
+        ns=app-$(date +%s | head -c 6)
+        kubectl create ns $ns
+        kubectl label ns $ns pod-security.kubernetes.io/enforce=restricted
+        make ct TEST_CHARTS=charts/$dir KUBE_NAMESPACE=$ns
+        kubectl delete ns $ns || true
     fi
 done