Add securityContext to skupper-router deployment

Fixes #2326

Author: fgiorgetti

internal/kube/site/resources/apply.go

@@ -6,6 +6,7 @@ import (
 	_ "embed"
 	"fmt"
 	"strconv"
+	"strings"
 
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/yaml"
@@ -29,12 +30,12 @@ type Labelling interface {
 	SetAnnotations(namespace string, name string, kind string, annotations map[string]string) bool
 }
 
-func resourceTemplates(site *skupperv2alpha1.Site, group string, size sizing.Sizing, labelling Labelling) []resource.Template {
+func resourceTemplates(clients internalclient.Clients, site *skupperv2alpha1.Site, group string, size sizing.Sizing, labelling Labelling) []resource.Template {
 	templates := []resource.Template{
 		{
 			Name:       "deployment",
 			Template:   routerDeploymentTemplate,
-			Parameters: getCoreParams(site, group, size).setLabelsAndAnnotations(labelling, site.Namespace, "skupper-router", "Deployment"),
+			Parameters: getCoreParams(clients, site, group, size).setLabelsAndAnnotations(labelling, site.Namespace, "skupper-router", "Deployment"),
 			Resource: schema.GroupVersionResource{
 				Group:    "apps",
 				Version:  "v1",
@@ -44,7 +45,7 @@ func resourceTemplates(site *skupperv2alpha1.Site, group string, size sizing.Siz
 		{
 			Name:       "localService",
 			Template:   routerLocalServiceTemplate,
-			Parameters: getCoreParams(site, group, size).setLabelsAndAnnotations(labelling, site.Namespace, "skupper-router-local", "Service"),
+			Parameters: getCoreParams(clients, site, group, size).setLabelsAndAnnotations(labelling, site.Namespace, "skupper-router-local", "Service"),
 			Resource: schema.GroupVersionResource{
 				Group:    "",
 				Version:  "v1",
@@ -68,6 +69,7 @@ type CoreParams struct {
 	Labels             map[string]string
 	Annotations        map[string]string
 	EnableAntiAffinity bool
+	AddPodSecurity     bool
 }
 
 func (p *CoreParams) setLabelsAndAnnotations(labelling Labelling, namespace string, name string, kind string) *CoreParams {
@@ -149,7 +151,7 @@ func configDigest(config *skupperv2alpha1.SiteSpec) string {
 	return ""
 }
 
-func getCoreParams(site *skupperv2alpha1.Site, group string, size sizing.Sizing) *CoreParams {
+func getCoreParams(clients internalclient.Clients, site *skupperv2alpha1.Site, group string, size sizing.Sizing) *CoreParams {
 	return &CoreParams{
 		SiteId:             site.GetSiteId(),
 		SiteName:           site.Name,
@@ -162,11 +164,26 @@ func getCoreParams(site *skupperv2alpha1.Site, group string, size sizing.Sizing)
 		Sizing:             size,
 		Labels:             map[string]string{},
 		EnableAntiAffinity: enableAntiAffinity(site),
+		AddPodSecurity:     addPodSecurityContext(clients),
+	}
+}
+
+// addPodSecurityContext Only added if server version is >=1.24
+func addPodSecurityContext(cli internalclient.Clients) bool {
+	vi, err := cli.GetKubeClient().Discovery().ServerVersion()
+	if err != nil {
+		return false
+	}
+	// for kubernetes versions 1.24+
+	if vi.Major == "1" && strings.Compare(vi.Minor, "24") >= 0 {
+		return true
+	} else {
+		return false
 	}
 }
 
 func Apply(clients internalclient.Clients, ctx context.Context, site *skupperv2alpha1.Site, group string, size sizing.Sizing, labelling Labelling) error {
-	for _, t := range resourceTemplates(site, group, size, labelling) {
+	for _, t := range resourceTemplates(clients, site, group, size, labelling) {
 		_, err := t.Apply(clients.GetDynamicClient(), ctx, site.Namespace)
 		if err != nil {
 			return err

internal/kube/site/resources/skupper-router-deployment.yaml

@@ -79,6 +79,12 @@ spec:
           successThreshold: 1
           timeoutSeconds: 1
         name: router
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          runAsNonRoot: true
         ports:
         - containerPort: 5671
           name: amqps
@@ -125,6 +131,12 @@ spec:
         image: {{ .AdaptorImage.Name }}
         imagePullPolicy: {{ .AdaptorImage.PullPolicy }}
         name: kube-adaptor
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          runAsNonRoot: true
         readinessProbe:
           failureThreshold: 3
           httpGet:
@@ -152,6 +164,12 @@ spec:
         image: {{ .AdaptorImage.Name }}
         imagePullPolicy: {{ .AdaptorImage.PullPolicy }}
         name: config-init
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          runAsNonRoot: true
         command: ["/app/kube-adaptor", "-init"]
         volumeMounts:
         - mountPath: /etc/skupper-router-certs
@@ -163,6 +181,12 @@ spec:
       volumes:
       - emptyDir: {}
         name: skupper-router-certs
+{{- if .AddPodSecurity }}
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+{{- end }}
 {{- if .EnableAntiAffinity}}
       affinity:
         podAntiAffinity: