From f8356c9deec7475168bc7ea620c99d5f0eec54d0 Mon Sep 17 00:00:00 2001
From: Thomas Way <thomas@6f.io>
Date: Fri, 24 Mar 2023 19:15:26 +0000
Subject: [PATCH] cmd/k8s-operator: Set pod security context

https://kubernetes.io/docs/concepts/security/pod-security-admission/

Fixes #7359

Signed-off-by: Thomas Way <thomas@6f.io>
---
 cmd/k8s-operator/manifests/operator.yaml | 70 +++++++++++++++---------
 cmd/k8s-operator/manifests/proxy.yaml    | 15 ++++-
 2 files changed, 57 insertions(+), 28 deletions(-)

diff --git a/cmd/k8s-operator/manifests/operator.yaml b/cmd/k8s-operator/manifests/operator.yaml
index c128d2b09..f6161a5b0 100644
--- a/cmd/k8s-operator/manifests/operator.yaml
+++ b/cmd/k8s-operator/manifests/operator.yaml
@@ -18,9 +18,9 @@ metadata:
   name: proxies
   namespace: tailscale
 rules:
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["*"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -28,9 +28,9 @@ metadata:
   name: proxies
   namespace: tailscale
 subjects:
-- kind: ServiceAccount
-  name: proxies
-  namespace: tailscale
+  - kind: ServiceAccount
+    name: proxies
+    namespace: tailscale
 roleRef:
   kind: Role
   name: proxies
@@ -47,18 +47,18 @@ kind: ClusterRole
 metadata:
   name: tailscale-operator
 rules:
-- apiGroups: [""]
-  resources: ["services", "services/status"]
-  verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["services", "services/status"]
+    verbs: ["*"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: tailscale-operator
 subjects:
-- kind: ServiceAccount
-  name: operator
-  namespace: tailscale
+  - kind: ServiceAccount
+    name: operator
+    namespace: tailscale
 roleRef:
   kind: ClusterRole
   name: tailscale-operator
@@ -70,12 +70,12 @@ metadata:
   name: operator
   namespace: tailscale
 rules:
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["*"]
-- apiGroups: ["apps"]
-  resources: ["statefulsets"]
-  verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["*"]
+  - apiGroups: ["apps"]
+    resources: ["statefulsets"]
+    verbs: ["*"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -83,9 +83,9 @@ metadata:
   name: operator
   namespace: tailscale
 subjects:
-- kind: ServiceAccount
-  name: operator
-  namespace: tailscale
+  - kind: ServiceAccount
+    name: operator
+    namespace: tailscale
 roleRef:
   kind: Role
   name: operator
@@ -119,9 +119,11 @@ spec:
     spec:
       serviceAccountName: operator
       volumes:
-      - name: oauth
-        secret:
-          secretName: operator-oauth
+        - name: config
+          emptyDir: {}
+        - name: oauth
+          secret:
+            secretName: operator-oauth
       containers:
         - name: operator
           image: tailscale/k8s-operator:unstable
@@ -151,6 +153,20 @@ spec:
             - name: AUTH_PROXY
               value: "false"
           volumeMounts:
-          - name: oauth
-            mountPath: /oauth
-            readOnly: true
+            - name: config
+              mountPath: /.config
+            - name: oauth
+              mountPath: /oauth
+              readOnly: true
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            allowPrivilegeEscalation: false
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        runAsNonRoot: true
+        fsGroup: 2000
+        seccompProfile:
+          type: RuntimeDefault
diff --git a/cmd/k8s-operator/manifests/proxy.yaml b/cmd/k8s-operator/manifests/proxy.yaml
index 07e1df7a1..b644e7720 100644
--- a/cmd/k8s-operator/manifests/proxy.yaml
+++ b/cmd/k8s-operator/manifests/proxy.yaml
@@ -14,7 +14,10 @@ spec:
         - name: sysctler
           image: busybox
           securityContext:
-            privileged: true
+            capabilities:
+              drop:
+                - ALL
+            allowPrivilegeEscalation: false
           command: ["/bin/sh"]
           args:
             - -c
@@ -35,3 +38,13 @@ spec:
             capabilities:
               add:
                 - NET_ADMIN
+              drop:
+                - ALL
+            allowPrivilegeEscalation: false
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 3000
+        runAsNonRoot: true
+        fsGroup: 2000
+        seccompProfile:
+          type: RuntimeDefault