Skip to content

Commit

Permalink
Add SecurityContext to restore-helper
Browse files Browse the repository at this point in the history
This commit adds SecurityContext which complies with "restricted" level
per Pod Security Standards

Signed-off-by: Daniel Jiang <daniel.jiang@broadcom.com>
  • Loading branch information
reasonerjt committed Dec 6, 2024
1 parent 2e5df85 commit 507974e
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 3 deletions.
1 change: 1 addition & 0 deletions changelogs/unreleased/8491-reasonerjt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add SecurityContext to restore-helper
30 changes: 27 additions & 3 deletions pkg/restore/actions/pod_volume_restore_action.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package actions
import (
"context"
"fmt"
"github.com/vmware-tanzu/velero/pkg/util/boolptr"
"strings"

"github.com/pkg/errors"
Expand Down Expand Up @@ -143,9 +144,15 @@ func (a *PodVolumeRestoreAction) Execute(input *velero.RestoreItemActionExecuteI

runAsUser, runAsGroup, allowPrivilegeEscalation, secCtx := getSecurityContext(log, config)

securityContext, err := kube.ParseSecurityContext(runAsUser, runAsGroup, allowPrivilegeEscalation, secCtx)
if err != nil {
log.Errorf("Using default securityContext values, couldn't parse securityContext requirements: %s.", err)
var securityContext corev1.SecurityContext
if runAsUser == "" && runAsGroup == "" && allowPrivilegeEscalation == "" && secCtx == "" {
securityContext = defaultSecurityCtx()
} else {
securityContext, err = kube.ParseSecurityContext(runAsUser, runAsGroup, allowPrivilegeEscalation, secCtx)
if err != nil {
log.Errorf("Using default securityContext values, couldn't parse securityContext requirements: %s.", err)
securityContext = defaultSecurityCtx()
}
}

initContainerBuilder := newRestoreInitContainerBuilder(image, string(input.Restore.UID))
Expand Down Expand Up @@ -282,3 +289,20 @@ func newRestoreInitContainerBuilder(image, restoreUID string) *builder.Container
},
}...)
}

// defaultSecurityCtx returns a default security context for the init container, which has the level "restricted" per
// Pod Security Standards.
func defaultSecurityCtx() corev1.SecurityContext {
uid := int64(1000)
return corev1.SecurityContext{
AllowPrivilegeEscalation: boolptr.False(),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
RunAsUser: &uid,
RunAsNonRoot: boolptr.True(),
}
}

0 comments on commit 507974e

Please sign in to comment.