Merge pull request #325 from marquiz/devel/hardening

Container image hardening
2024-12-14 11:57:51 +00:00 · 2020-08-21 02:51:39 -07:00 · 2020-08-21 02:51:39 -07:00 · a68a4ec4fb
commit a68a4ec4fb
parent b6e310902a 3cd2d34ea7
5 changed files with 33 additions and 0 deletions
--- a/3
+++ b/3
@ -25,6 +25,9 @@ RUN make test
 # Create production image for running node feature discovery
 FROM debian:stretch-slim

+# Run as unprivileged user
+USER 65534:65534
+
 # Use more verbose logging of gRPC
 ENV GRPC_GO_LOG_SEVERITY_LEVEL="INFO"

--- a/nfd-daemonset-combined.yaml.template
+++ b/nfd-daemonset-combined.yaml.template
@ -64,6 +64,12 @@ spec:
                fieldPath: spec.nodeName
          image: k8s.gcr.io/nfd/node-feature-discovery:v0.6.0
          name: nfd-master
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
          command:
            - "nfd-master"
        - env:
@ -73,6 +79,12 @@ spec:
                fieldPath: spec.nodeName
          image: k8s.gcr.io/nfd/node-feature-discovery:v0.6.0
          name: nfd-worker
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
          command:
            - "nfd-worker"
          args:
--- a/nfd-master.yaml.template
+++ b/nfd-master.yaml.template
@ -79,6 +79,12 @@ spec:
                fieldPath: spec.nodeName
          image: k8s.gcr.io/nfd/node-feature-discovery:v0.6.0
          name: nfd-master
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
          command:
            - "nfd-master"
 ## Enable TLS authentication
--- a/nfd-worker-daemonset.yaml.template
+++ b/nfd-worker-daemonset.yaml.template
@ -23,6 +23,12 @@ spec:
                fieldPath: spec.nodeName
          image: k8s.gcr.io/nfd/node-feature-discovery:v0.6.0
          name: nfd-worker
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
          command:
            - "nfd-worker"
          args:
--- a/nfd-worker-job.yaml.template
+++ b/nfd-worker-job.yaml.template
@ -32,6 +32,12 @@ spec:
                fieldPath: spec.nodeName
          image: k8s.gcr.io/nfd/node-feature-discovery:v0.6.0
          name: nfd-worker
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
          command:
            - "nfd-worker"
          args: