diff --git a/.github/workflows/ci-test-incluster.yml b/.github/workflows/ci-test-incluster.yml new file mode 100644 index 0000000000..3050f488c9 --- /dev/null +++ b/.github/workflows/ci-test-incluster.yml @@ -0,0 +1,79 @@ +name: run-in-cluster-test + +on: + push: + branches: + - "**" + paths: + - "deployments/annotations/**" + - "deployments/generic/**" + - "tests/test-scenarios-github.sh" + - ".github/workflows/ci-test-incluster.yml" + pull_request: + branches: ["*"] + paths: + - "deployments/annotations/**" + - "deployments/generic/**" + - "tests/test-scenarios-github.sh" + - ".github/workflows/ci-test-incluster.yml" + +jobs: + manifest-test: + name: Run basic manifest tests / ${{ matrix.os }} + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, ubuntu-18.04] + steps: + - name: Kernel version + run: uname -r + + - uses: actions/checkout@v2 + + - name: Setup Enviroment + run: | + ./contribution/k3s/install_k3s.sh + + - name: Install cmctl + run: | + OS=$(go env GOOS); ARCH=$(go env GOARCH); curl -sSL -o cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/download/v1.7.2/cmctl-$OS-$ARCH.tar.gz + tar xzf cmctl.tar.gz + sudo mv cmctl /usr/local/bin + + - name: Install annotation controller + run: | + kubectl apply -f deployments/annotations/cert-manager.yaml + kubectl wait pods --for=condition=ready -n cert-manager -l app.kubernetes.io/instance=cert-manager + cmctl check api --wait 300s + kubectl apply -f deployments/annotations/kubearmor-annotation-manager.yaml + kubectl wait pods --for=condition=ready -n kube-system -l kubearmor-app=kubearmor-annotation-manager + + - name: Apply KubeArmor manifest + run: | + kubectl apply -f deployments/generic/kubearmor.yaml + + - name: Test manifests + run: | + ./tests/test-scenarios-github.sh + + - name: Get pod informations + if: ${{ failure() }} + run: | + kubectl get po -n kube-system + kubectl describe po -n kube-system + + + - name: Archive log artifacts + if: ${{ failure() }} + uses: actions/upload-artifact@v2 + with: + name: kubearmor.logs + path: | + /tmp/kubearmor.test + /tmp/kubearmor.log + /tmp/kubearmor.msg + + - name: Check Results + if: ${{ always() }} + run: cat /tmp/kubearmor.test \ No newline at end of file diff --git a/KubeArmor/build/kubearmor-test-containerd.yaml b/KubeArmor/build/kubearmor-test-containerd.yaml index b8d426a7c7..b7032d36ae 100644 --- a/KubeArmor/build/kubearmor-test-containerd.yaml +++ b/KubeArmor/build/kubearmor-test-containerd.yaml @@ -79,6 +79,7 @@ spec: imagePullPolicy: Never securityContext: privileged: true + readOnlyRootFilesystem: true ports: - containerPort: 32767 livenessProbe: @@ -121,10 +122,14 @@ spec: - mountPath: /var/lib/docker name: docker-storage-path readOnly: true + - mountPath: /tmp + name: tmp-path terminationGracePeriodSeconds: 30 volumes: - emptyDir: {} name: bpf + - emptyDir: {} + name: tmp-path - hostPath: path: /lib/modules type: Directory diff --git a/KubeArmor/build/kubearmor-test-crio.yaml b/KubeArmor/build/kubearmor-test-crio.yaml index a396dc6dea..0c20fb9736 100644 --- a/KubeArmor/build/kubearmor-test-crio.yaml +++ b/KubeArmor/build/kubearmor-test-crio.yaml @@ -57,6 +57,7 @@ spec: - containerPort: 32767 securityContext: privileged: true + readOnlyRootFilesystem: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: @@ -83,6 +84,8 @@ spec: - mountPath: /run/crio name: crio-storage-path readOnly: true + - mountPath: /tmp + name: tmp-path dnsPolicy: ClusterFirstWithHostNet hostNetwork: true hostPID: true @@ -130,6 +133,8 @@ spec: path: /run/crio type: DirectoryOrCreate name: crio-storage-path + - emptyDir: {} + name: tmp-path --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition diff --git a/KubeArmor/build/kubearmor-test-docker.yaml b/KubeArmor/build/kubearmor-test-docker.yaml index df9aec6708..5025185fcc 100644 --- a/KubeArmor/build/kubearmor-test-docker.yaml +++ b/KubeArmor/build/kubearmor-test-docker.yaml @@ -79,6 +79,7 @@ spec: imagePullPolicy: Never securityContext: privileged: true + readOnlyRootFilesystem: true ports: - containerPort: 32767 livenessProbe: @@ -118,10 +119,14 @@ spec: - mountPath: /var/lib/docker name: docker-storage-path readOnly: true + - mountPath: /tmp + name: tmp-path terminationGracePeriodSeconds: 30 volumes: - emptyDir: {} name: bpf + - emptyDir: {} + name: tmp-path - hostPath: path: /lib/modules type: Directory diff --git a/KubeArmor/build/kubearmor-test-k3s.yaml b/KubeArmor/build/kubearmor-test-k3s.yaml index 6cdf5b2309..23111042bd 100644 --- a/KubeArmor/build/kubearmor-test-k3s.yaml +++ b/KubeArmor/build/kubearmor-test-k3s.yaml @@ -79,6 +79,7 @@ spec: imagePullPolicy: Never securityContext: privileged: true + readOnlyRootFilesystem: true ports: - containerPort: 32767 livenessProbe: @@ -118,9 +119,13 @@ spec: - mountPath: /var/lib/docker name: docker-storage-path readOnly: true + - mountPath: /tmp + name: tmp-path volumes: - emptyDir: {} name: bpf + - emptyDir: {} + name: tmp-path - hostPath: path: /lib/modules type: Directory diff --git a/deployments/AKS/kubearmor.yaml b/deployments/AKS/kubearmor.yaml index 856e34969d..1eea6feb6a 100644 --- a/deployments/AKS/kubearmor.yaml +++ b/deployments/AKS/kubearmor.yaml @@ -120,6 +120,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -142,6 +144,7 @@ spec: name: init securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /opt/kubearmor/BPF name: bpf @@ -157,6 +160,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -170,6 +175,8 @@ spec: volumes: - emptyDir: {} name: bpf + - emptyDir: {} + name: tmp-path - hostPath: path: /lib/modules type: Directory @@ -263,6 +270,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -277,6 +286,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- @@ -332,6 +343,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -346,6 +359,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- diff --git a/deployments/BottleRocket/kubearmor.yaml b/deployments/BottleRocket/kubearmor.yaml index 8d570ef673..091da1152a 100644 --- a/deployments/BottleRocket/kubearmor.yaml +++ b/deployments/BottleRocket/kubearmor.yaml @@ -121,6 +121,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -143,6 +145,7 @@ spec: name: init securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /opt/kubearmor/BPF name: bpf @@ -158,6 +161,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -171,6 +176,8 @@ spec: volumes: - emptyDir: {} name: bpf + - emptyDir: {} + name: tmp-path - hostPath: path: /lib/modules type: Directory @@ -264,6 +271,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -278,6 +287,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- @@ -333,6 +344,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -347,6 +360,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- diff --git a/deployments/EKS/kubearmor.yaml b/deployments/EKS/kubearmor.yaml index 856e34969d..1eea6feb6a 100644 --- a/deployments/EKS/kubearmor.yaml +++ b/deployments/EKS/kubearmor.yaml @@ -120,6 +120,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -142,6 +144,7 @@ spec: name: init securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /opt/kubearmor/BPF name: bpf @@ -157,6 +160,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -170,6 +175,8 @@ spec: volumes: - emptyDir: {} name: bpf + - emptyDir: {} + name: tmp-path - hostPath: path: /lib/modules type: Directory @@ -263,6 +270,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -277,6 +286,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- @@ -332,6 +343,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -346,6 +359,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- diff --git a/deployments/GKE/kubearmor.yaml b/deployments/GKE/kubearmor.yaml index 19407c49d3..56bcb20d67 100644 --- a/deployments/GKE/kubearmor.yaml +++ b/deployments/GKE/kubearmor.yaml @@ -120,6 +120,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /media/root/usr name: usr-src-path readOnly: true @@ -142,6 +144,7 @@ spec: name: init securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /opt/kubearmor/BPF name: bpf @@ -157,6 +160,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /media/root/usr name: usr-src-path readOnly: true @@ -170,6 +175,8 @@ spec: volumes: - emptyDir: {} name: bpf + - emptyDir: {} + name: tmp-path - hostPath: path: /lib/modules type: Directory @@ -263,6 +270,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -277,6 +286,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- @@ -332,6 +343,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -346,6 +359,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- diff --git a/deployments/OKE/kubearmor.yaml b/deployments/OKE/kubearmor.yaml index cc5d14670d..c4562dd35d 100644 --- a/deployments/OKE/kubearmor.yaml +++ b/deployments/OKE/kubearmor.yaml @@ -120,6 +120,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -139,6 +141,7 @@ spec: name: init securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /opt/kubearmor/BPF name: bpf @@ -154,6 +157,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -167,6 +172,8 @@ spec: volumes: - emptyDir: {} name: bpf + - emptyDir: {} + name: tmp-path - hostPath: path: /lib/modules type: Directory @@ -256,6 +263,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -270,6 +279,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- @@ -325,6 +336,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -339,6 +352,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- diff --git a/deployments/docker/kubearmor.yaml b/deployments/docker/kubearmor.yaml index d94896f8b4..8c0f814348 100644 --- a/deployments/docker/kubearmor.yaml +++ b/deployments/docker/kubearmor.yaml @@ -120,6 +120,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -139,6 +141,7 @@ spec: name: init securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /opt/kubearmor/BPF name: bpf @@ -154,6 +157,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -167,6 +172,8 @@ spec: volumes: - emptyDir: {} name: bpf + - emptyDir: {} + name: tmp-path - hostPath: path: /lib/modules type: Directory @@ -256,6 +263,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -270,6 +279,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- @@ -325,6 +336,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -339,6 +352,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- diff --git a/deployments/generic/kubearmor.yaml b/deployments/generic/kubearmor.yaml index 29a3d0301f..ae6f3f198c 100644 --- a/deployments/generic/kubearmor.yaml +++ b/deployments/generic/kubearmor.yaml @@ -120,6 +120,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -145,6 +147,7 @@ spec: name: init securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /opt/kubearmor/BPF name: bpf @@ -160,6 +163,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -173,6 +178,8 @@ spec: volumes: - emptyDir: {} name: bpf + - emptyDir: {} + name: tmp-path - hostPath: path: /lib/modules type: Directory @@ -266,6 +273,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -280,6 +289,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- @@ -335,6 +346,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -349,6 +362,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- diff --git a/deployments/get/objects.go b/deployments/get/objects.go index f2666e96e5..76576a2d43 100644 --- a/deployments/get/objects.go +++ b/deployments/get/objects.go @@ -166,6 +166,7 @@ func GetPolicyManagerService(namespace string) *corev1.Service { // GetPolicyManagerDeployment Function func GetPolicyManagerDeployment(namespace string) *appsv1.Deployment { + var readOnlyRootFilesystem = bool(true) return &appsv1.Deployment{ TypeMeta: metav1.TypeMeta{ Kind: "Deployment", @@ -206,6 +207,9 @@ func GetPolicyManagerDeployment(namespace string) *appsv1.Deployment { Name: "https", }, }, + SecurityContext: &corev1.SecurityContext{ + ReadOnlyRootFilesystem: &readOnlyRootFilesystem, + }, Resources: corev1.ResourceRequirements{ Limits: corev1.ResourceList{ corev1.ResourceCPU: resource.MustParse("100m"), @@ -235,6 +239,9 @@ func GetPolicyManagerDeployment(namespace string) *appsv1.Deployment { corev1.ResourceMemory: resource.MustParse("20Mi"), }, }, + SecurityContext: &corev1.SecurityContext{ + ReadOnlyRootFilesystem: &readOnlyRootFilesystem, + }, }, }, TerminationGracePeriodSeconds: &terminationGracePeriodSeconds, @@ -275,6 +282,7 @@ func GetHostPolicyManagerService(namespace string) *corev1.Service { // GetHostPolicyManagerDeployment Function func GetHostPolicyManagerDeployment(namespace string) *appsv1.Deployment { + var readOnlyRootFilesystem = bool(true) return &appsv1.Deployment{ TypeMeta: metav1.TypeMeta{ Kind: "Deployment", @@ -325,6 +333,9 @@ func GetHostPolicyManagerDeployment(namespace string) *appsv1.Deployment { corev1.ResourceMemory: resource.MustParse("20Mi"), }, }, + SecurityContext: &corev1.SecurityContext{ + ReadOnlyRootFilesystem: &readOnlyRootFilesystem, + }, }, { Name: "kubearmor-host-policy-manager", @@ -344,6 +355,9 @@ func GetHostPolicyManagerDeployment(namespace string) *appsv1.Deployment { corev1.ResourceMemory: resource.MustParse("20Mi"), }, }, + SecurityContext: &corev1.SecurityContext{ + ReadOnlyRootFilesystem: &readOnlyRootFilesystem, + }, }, }, TerminationGracePeriodSeconds: &terminationGracePeriodSeconds, @@ -360,6 +374,7 @@ func GenerateDaemonSet(env, namespace string) *appsv1.DaemonSet { "kubearmor-app": kubearmor, } var privileged = bool(true) + var readOnlyRootFilesystem = bool(true) var terminationGracePeriodSeconds = int64(30) var args = []string{ "-gRPC=" + strconv.Itoa(int(port)), @@ -393,6 +408,10 @@ func GenerateDaemonSet(env, namespace string) *appsv1.DaemonSet { MountPath: "/media/root/etc/os-release", ReadOnly: true, }, + { + Name: "tmp-path", + MountPath: "/tmp", + }, } var volumes = []corev1.Volume{ @@ -402,6 +421,12 @@ func GenerateDaemonSet(env, namespace string) *appsv1.DaemonSet { EmptyDir: &corev1.EmptyDirVolumeSource{}, }, }, + { + Name: "tmp-path", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + }, { Name: "lib-modules-path", VolumeSource: corev1.VolumeSource{ @@ -503,7 +528,8 @@ func GenerateDaemonSet(env, namespace string) *appsv1.DaemonSet { Name: "init", Image: "kubearmor/kubearmor-init:latest", SecurityContext: &corev1.SecurityContext{ - Privileged: &privileged, + Privileged: &privileged, + ReadOnlyRootFilesystem: &readOnlyRootFilesystem, }, VolumeMounts: containerVolumeMounts, }, @@ -605,6 +631,7 @@ var annotationsControllerAllowPrivilegeEscalation = false // GetAnnotationsControllerDeployment Function func GetAnnotationsControllerDeployment(namespace string) *appsv1.Deployment { + var readOnlyRootFilesystem = bool(true) return &appsv1.Deployment{ TypeMeta: metav1.TypeMeta{ Kind: "Deployment", @@ -661,6 +688,9 @@ func GetAnnotationsControllerDeployment(namespace string) *appsv1.Deployment { corev1.ResourceMemory: resource.MustParse("20Mi"), }, }, + SecurityContext: &corev1.SecurityContext{ + ReadOnlyRootFilesystem: &readOnlyRootFilesystem, + }, }, { Name: "manager", @@ -692,6 +722,7 @@ func GetAnnotationsControllerDeployment(namespace string) *appsv1.Deployment { }, SecurityContext: &corev1.SecurityContext{ AllowPrivilegeEscalation: &annotationsControllerAllowPrivilegeEscalation, + ReadOnlyRootFilesystem: &readOnlyRootFilesystem, }, LivenessProbe: &corev1.Probe{ Handler: corev1.Handler{ diff --git a/deployments/k3s/kubearmor.yaml b/deployments/k3s/kubearmor.yaml index a21c50b9cd..70ad781590 100644 --- a/deployments/k3s/kubearmor.yaml +++ b/deployments/k3s/kubearmor.yaml @@ -120,6 +120,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -139,6 +141,7 @@ spec: name: init securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /opt/kubearmor/BPF name: bpf @@ -154,6 +157,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -167,6 +172,8 @@ spec: volumes: - emptyDir: {} name: bpf + - emptyDir: {} + name: tmp-path - hostPath: path: /lib/modules type: Directory @@ -256,6 +263,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -270,6 +279,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- @@ -325,6 +336,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -339,6 +352,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- diff --git a/deployments/microk8s/kubearmor.yaml b/deployments/microk8s/kubearmor.yaml index 74bba8c272..ddd5806479 100644 --- a/deployments/microk8s/kubearmor.yaml +++ b/deployments/microk8s/kubearmor.yaml @@ -120,6 +120,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -139,6 +141,7 @@ spec: name: init securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /opt/kubearmor/BPF name: bpf @@ -154,6 +157,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -167,6 +172,8 @@ spec: volumes: - emptyDir: {} name: bpf + - emptyDir: {} + name: tmp-path - hostPath: path: /lib/modules type: Directory @@ -256,6 +263,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -270,6 +279,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- @@ -325,6 +336,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -339,6 +352,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- diff --git a/deployments/minikube/kubearmor.yaml b/deployments/minikube/kubearmor.yaml index 591080e9ad..799e38c635 100644 --- a/deployments/minikube/kubearmor.yaml +++ b/deployments/minikube/kubearmor.yaml @@ -119,6 +119,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -138,6 +140,7 @@ spec: name: init securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - mountPath: /opt/kubearmor/BPF name: bpf @@ -153,6 +156,8 @@ spec: - mountPath: /media/root/etc/os-release name: os-release-path readOnly: true + - mountPath: /tmp + name: tmp-path - mountPath: /usr/src name: usr-src-path readOnly: true @@ -166,6 +171,8 @@ spec: volumes: - emptyDir: {} name: bpf + - emptyDir: {} + name: tmp-path - hostPath: path: /lib/modules type: Directory @@ -255,6 +262,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -269,6 +278,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 --- @@ -324,6 +335,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true - args: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election @@ -338,6 +351,8 @@ spec: requests: cpu: 100m memory: 20Mi + securityContext: + readOnlyRootFilesystem: true serviceAccountName: kubearmor terminationGracePeriodSeconds: 10 ---