From c4c1717eb0abdd631e62a3cb6e0d853ef2da3f22 Mon Sep 17 00:00:00 2001 From: biswassri Date: Fri, 20 Dec 2024 10:10:17 -0500 Subject: [PATCH 1/4] chore: Add securitycontext for PSS PoC (rootless Kubeflow) Signed-off-by: biswassri --- .../manifests/quick-start/sso/dex/dex-deploy.yaml | 8 ++++++++ common/oauth2-proxy/base/deployment.yaml | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/dex/dex-deploy.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/dex/dex-deploy.yaml index 327d846805..640f9f06ea 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/dex/dex-deploy.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/dex/dex-deploy.yaml @@ -26,6 +26,14 @@ spec: ports: - name: http containerPort: 5556 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL volumeMounts: - mountPath: /data name: config diff --git a/common/oauth2-proxy/base/deployment.yaml b/common/oauth2-proxy/base/deployment.yaml index e92f4f92da..83e4b5ca8d 100644 --- a/common/oauth2-proxy/base/deployment.yaml +++ b/common/oauth2-proxy/base/deployment.yaml @@ -70,6 +70,14 @@ spec: configMapKeyRef: name: oauth2-proxy-parameters key: EXTRA_JWT_ISSUERS + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL volumeMounts: - name: oauth2-proxy-config mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg From ee897228b7b2acbe12be7b3c8841903ae75f19a4 Mon Sep 17 00:00:00 2001 From: biswassri Date: Fri, 20 Dec 2024 10:38:57 -0500 Subject: [PATCH 2/4] update PSS for dex Signed-off-by: biswassri --- .../manifests/quick-start/sso/dex/dex-deploy.yaml | 11 ----------- common/dex/base/deployment.yaml | 8 ++++++++ 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/dex/dex-deploy.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/dex/dex-deploy.yaml index 640f9f06ea..cc50cafa6d 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/dex/dex-deploy.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/dex/dex-deploy.yaml @@ -26,17 +26,6 @@ spec: ports: - name: http containerPort: 5556 - securityContext: - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - capabilities: - drop: - - ALL - volumeMounts: - - mountPath: /data - name: config volumes: - name: config configMap: diff --git a/common/dex/base/deployment.yaml b/common/dex/base/deployment.yaml index bf4de2baab..fe14cd9e82 100644 --- a/common/dex/base/deployment.yaml +++ b/common/dex/base/deployment.yaml @@ -22,6 +22,14 @@ spec: ports: - name: http containerPort: 5556 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL volumeMounts: - name: config mountPath: /etc/dex/cfg From bbf78f16b7afb57382d365a9cefb6fa0bcdbbce8 Mon Sep 17 00:00:00 2001 From: biswassri Date: Fri, 20 Dec 2024 10:40:13 -0500 Subject: [PATCH 3/4] reverse volume-mount change for dex-deploy Signed-off-by: biswassri --- .../upstream/manifests/quick-start/sso/dex/dex-deploy.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/dex/dex-deploy.yaml b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/dex/dex-deploy.yaml index cc50cafa6d..327d846805 100644 --- a/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/dex/dex-deploy.yaml +++ b/apps/pipeline/upstream/third-party/argo/upstream/manifests/quick-start/sso/dex/dex-deploy.yaml @@ -26,6 +26,9 @@ spec: ports: - name: http containerPort: 5556 + volumeMounts: + - mountPath: /data + name: config volumes: - name: config configMap: From 8acd004578a3062b9dbf77d7d516c56af25e6ae3 Mon Sep 17 00:00:00 2001 From: biswassri Date: Fri, 20 Dec 2024 10:47:56 -0500 Subject: [PATCH 4/4] alignment change for dex Signed-off-by: biswassri --- common/dex/base/deployment.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/common/dex/base/deployment.yaml b/common/dex/base/deployment.yaml index fe14cd9e82..1b5e8fa91f 100644 --- a/common/dex/base/deployment.yaml +++ b/common/dex/base/deployment.yaml @@ -23,13 +23,13 @@ spec: - name: http containerPort: 5556 securityContext: - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - capabilities: - drop: - - ALL + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL volumeMounts: - name: config mountPath: /etc/dex/cfg