From 6206b85a08f4d5aa7b96eb8aa53a7f9d37332bd4 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 30 May 2023 14:33:58 +0200
Subject: [PATCH] Harden the deployment and the profilebundle

Drops caps and makes both run as non-root explicitly to suppress
warnings from PSA.
---
 .../compliance-operator.clusterserviceversion.yaml          | 4 ++++
 config/manager/deployment.yaml                              | 3 +++
 pkg/controller/profilebundle/profilebundle_controller.go    | 6 ++++++
 3 files changed, 13 insertions(+)

diff --git a/bundle/manifests/compliance-operator.clusterserviceversion.yaml b/bundle/manifests/compliance-operator.clusterserviceversion.yaml
index efc7aa21b..9cf081463 100644
--- a/bundle/manifests/compliance-operator.clusterserviceversion.yaml
+++ b/bundle/manifests/compliance-operator.clusterserviceversion.yaml
@@ -1296,7 +1296,11 @@ spec:
                     memory: 20Mi
                 securityContext:
                   allowPrivilegeEscalation: false
+                  capabilities:
+                    drop:
+                    - ALL
                   readOnlyRootFilesystem: true
+                  runAsNonRoot: true
                 volumeMounts:
                 - mountPath: /var/run/secrets/serving-cert
                   name: serving-cert
diff --git a/config/manager/deployment.yaml b/config/manager/deployment.yaml
index ba83b9432..d57336712 100644
--- a/config/manager/deployment.yaml
+++ b/config/manager/deployment.yaml
@@ -27,6 +27,9 @@ spec:
           securityContext:
             readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop: ["ALL"]
           resources:
             requests:
               memory: "20Mi"
diff --git a/pkg/controller/profilebundle/profilebundle_controller.go b/pkg/controller/profilebundle/profilebundle_controller.go
index f80754c8a..b389215aa 100644
--- a/pkg/controller/profilebundle/profilebundle_controller.go
+++ b/pkg/controller/profilebundle/profilebundle_controller.go
@@ -439,6 +439,7 @@ func (r *ReconcileProfileBundle) newWorkloadForBundle(pb *compliancev1alpha1.Pro
 							SecurityContext: &corev1.SecurityContext{
 								AllowPrivilegeEscalation: &falseP,
 								ReadOnlyRootFilesystem:   &trueP,
+								RunAsNonRoot:             &trueP,
 								Capabilities: &corev1.Capabilities{
 									Drop: []corev1.Capability{"ALL"},
 								},
@@ -466,6 +467,7 @@ func (r *ReconcileProfileBundle) newWorkloadForBundle(pb *compliancev1alpha1.Pro
 							SecurityContext: &corev1.SecurityContext{
 								AllowPrivilegeEscalation: &falseP,
 								ReadOnlyRootFilesystem:   &trueP,
+								RunAsNonRoot:             &trueP,
 								Capabilities: &corev1.Capabilities{
 									Drop: []corev1.Capability{"ALL"},
 								},
@@ -502,6 +504,10 @@ func (r *ReconcileProfileBundle) newWorkloadForBundle(pb *compliancev1alpha1.Pro
 							SecurityContext: &corev1.SecurityContext{
 								AllowPrivilegeEscalation: &falseP,
 								ReadOnlyRootFilesystem:   &trueP,
+								RunAsNonRoot:             &trueP,
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"ALL"},
+								},
 							},
 							Command: []string{
 								"/bin/sh", "-c",