feat: restricted security context

Author: yetone

controllers/resources/bentorequest_controller.go

@@ -35,6 +35,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
+	"k8s.io/utils/pointer"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -1170,6 +1171,17 @@ echo "Done"
 		})
 	}
 
+	restrictedSecurityContext := &corev1.SecurityContext{
+		AllowPrivilegeEscalation: pointer.BoolPtr(false),
+		RunAsNonRoot:             pointer.BoolPtr(true),
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+	}
+
 	initContainers := []corev1.Container{
 		{
 			Name:  "bento-downloader",
@@ -1179,9 +1191,10 @@ echo "Done"
 				"-c",
 				bentoDownloadCommand,
 			},
-			VolumeMounts: volumeMounts,
-			Resources:    downloaderContainerResources,
-			EnvFrom:      downloaderContainerEnvFrom,
+			VolumeMounts:    volumeMounts,
+			Resources:       downloaderContainerResources,
+			EnvFrom:         downloaderContainerEnvFrom,
+			SecurityContext: restrictedSecurityContext,
 		},
 	}
 
@@ -1294,9 +1307,10 @@ echo "Done"
 				"-c",
 				modelDownloadCommand,
 			},
-			VolumeMounts: volumeMounts,
-			Resources:    downloaderContainerResources,
-			EnvFrom:      downloaderContainerEnvFrom,
+			VolumeMounts:    volumeMounts,
+			Resources:       downloaderContainerResources,
+			EnvFrom:         downloaderContainerEnvFrom,
+			SecurityContext: restrictedSecurityContext,
 		})
 	}
 
@@ -1498,6 +1512,7 @@ echo "Done"
 		Env:             envs,
 		TTY:             true,
 		Stdin:           true,
+		SecurityContext: restrictedSecurityContext,
 	}
 
 	if opt.BentoRequest.Spec.ImageBuilderContainerResources != nil {
@@ -1517,6 +1532,12 @@ echo "Done"
 			Containers: []corev1.Container{
 				container,
 			},
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsNonRoot: pointer.BoolPtr(true),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: corev1.SeccompProfileTypeRuntimeDefault,
+				},
+			},
 		},
 	}
 

helm/yatai-image-builder/values.yaml

@@ -27,16 +27,16 @@ serviceAccount:
 
 podAnnotations: {}
 
-podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+podSecurityContext:
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
 
 service:
   type: ClusterIP