Merge pull request #208 from KevFan/issues/98

feat: use RuntimeDefault seccomp profile in security context
Kuadrant · Sep 17, 2024 · 82e7719 · 82e7719
2 parents 18d51d9 + d108e24
commit 82e7719
Show file tree

Hide file tree

Showing 8 changed files with 41 additions and 5 deletions.
diff --git a/Makefile b/Makefile
@@ -298,6 +298,20 @@ bundle: manifests kustomize operator-sdk $(YQ) ## Generate bundle manifests and
 	$(OPERATOR_SDK) bundle validate ./bundle
 	# Roll back edit
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${DEFAULT_OPERATOR_IMAGE}
+	$(MAKE) bundle-custom-modifications
+
+.PHONY: bundle-custom-modifications
+OPENSHIFT_VERSIONS_ANNOTATION_KEY="com.redhat.openshift.versions"
+# Supports Openshift v4.12+ (https://redhat-connect.gitbook.io/certified-operator-guide/ocp-deployment/operator-metadata/bundle-directory/managing-openshift-versions)
+OPENSHIFT_SUPPORTED_VERSIONS="v4.12"
+bundle-custom-modifications:
+	# Set Openshift version in bundle annotations
+	$(YQ) -i '.annotations[$(OPENSHIFT_VERSIONS_ANNOTATION_KEY)] = $(OPENSHIFT_SUPPORTED_VERSIONS)' bundle/metadata/annotations.yaml
+	$(YQ) -i '(.annotations[$(OPENSHIFT_VERSIONS_ANNOTATION_KEY)] | key) headComment = "Custom annotations"' bundle/metadata/annotations.yaml
+	# Set Openshift version in bundle Dockerfile
+	@echo "" >> bundle.Dockerfile
+	@echo "# Custom labels" >> bundle.Dockerfile
+	@echo "LABEL $(OPENSHIFT_VERSIONS_ANNOTATION_KEY)=$(OPENSHIFT_SUPPORTED_VERSIONS)" >> bundle.Dockerfile
 
 .PHONY: bundle-build
 bundle-build: ## Build the bundle image.

diff --git a/bundle.Dockerfile b/bundle.Dockerfile
@@ -18,3 +18,6 @@ LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/
 COPY bundle/manifests /manifests/
 COPY bundle/metadata /metadata/
 COPY bundle/tests/scorecard /tests/scorecard/
+
+# Custom labels
+LABEL com.redhat.openshift.versions=v4.12
diff --git a/bundle/manifests/authorino-operator.clusterserviceversion.yaml b/bundle/manifests/authorino-operator.clusterserviceversion.yaml
@@ -83,7 +83,7 @@ metadata:
     capabilities: Basic Install
     categories: Integration & Delivery
     containerImage: quay.io/kuadrant/authorino-operator:latest
-    createdAt: "2024-09-03T17:46:45Z"
+    createdAt: "2024-09-12T11:22:55Z"
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/Kuadrant/authorino-operator
@@ -345,6 +345,12 @@ spec:
                         memory: 200Mi
                     securityContext:
                       allowPrivilegeEscalation: false
+                      capabilities:
+                        drop:
+                          - ALL
+                      readOnlyRootFilesystem: true
+                      seccompProfile:
+                        type: RuntimeDefault
                 securityContext:
                   runAsNonRoot: true
                 serviceAccountName: authorino-operator
@@ -492,7 +498,7 @@ spec:
     - email: [email protected]
       name: Guilherme Cassolato
   maturity: alpha
-  minKubeVersion: 1.8.0
+  minKubeVersion: 1.25.0
   provider:
     name: Red Hat
   version: 0.0.0

diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml
@@ -8,7 +8,8 @@ annotations:
   operators.operatorframework.io.metrics.builder: operator-sdk-v1.32.0
   operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
   operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v3
-
   # Annotations for testing.
   operators.operatorframework.io.test.mediatype.v1: scorecard+v1
   operators.operatorframework.io.test.config.v1: tests/scorecard/
+  # Custom annotations
+  com.redhat.openshift.versions: v4.12
diff --git a/config/deploy/manifests.yaml b/config/deploy/manifests.yaml
@@ -5767,6 +5767,12 @@ spec:
             memory: 200Mi
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          seccompProfile:
+            type: RuntimeDefault
       securityContext:
         runAsNonRoot: true
       serviceAccountName: authorino-operator

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -33,6 +33,12 @@ spec:
         name: manager
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
+          seccompProfile:
+            type: RuntimeDefault
         ports:
         - name: metrics
           containerPort: 8080

diff --git a/config/manifests/bases/authorino-operator.clusterserviceversion.template.yaml b/config/manifests/bases/authorino-operator.clusterserviceversion.template.yaml
@@ -74,7 +74,7 @@ spec:
   - email: [email protected]
     name: Guilherme Cassolato
   maturity: alpha
-  minKubeVersion: 1.8.0
+  minKubeVersion: 1.25.0
   provider:
     name: Red Hat
   version: ${BUNDLE_VERSION}
diff --git a/config/manifests/bases/authorino-operator.clusterserviceversion.yaml b/config/manifests/bases/authorino-operator.clusterserviceversion.yaml
@@ -74,7 +74,7 @@ spec:
   - email: [email protected]
     name: Guilherme Cassolato
   maturity: alpha
-  minKubeVersion: 1.8.0
+  minKubeVersion: 1.25.0
   provider:
     name: Red Hat
   version: 0.0.0