fix: controller and sidecar containers run as non-root (#225)

Closes #177 Signed-off-by: Jonathan Battiato <jonathan.battiato@enterprisedb.com> Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com> Co-authored-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
2026-01-10 21:03:12 +01:00 · 2025-03-23 17:00:52 +01:00 · 2025-03-23 17:00:52 +01:00 · 5788c1f727
commit 5788c1f727
parent a7ef56b6e7
3 changed files with 40 additions and 0 deletions
--- a/internal/cnpgi/operator/lifecycle.go
+++ b/internal/cnpgi/operator/lifecycle.go
@ -299,6 +299,18 @@ func reconcilePodSpec(
 	sidecarConfig.Image = viper.GetString("sidecar-image")
 	sidecarConfig.ImagePullPolicy = cluster.Spec.ImagePullPolicy
 	sidecarConfig.StartupProbe = baseProbe.DeepCopy()
+	sidecarConfig.SecurityContext = &corev1.SecurityContext{
+		AllowPrivilegeEscalation: ptr.To(false),
+		RunAsNonRoot:             ptr.To(true),
+		Privileged:               ptr.To(false),
+		ReadOnlyRootFilesystem:   ptr.To(true),
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+	}

 	// merge the main container envs if they aren't already set
 	for _, container := range spec.Containers {
--- a/kubernetes/deployment.yaml
+++ b/kubernetes/deployment.yaml
@ -16,6 +16,10 @@ spec:
      labels:
        app: barman-cloud
    spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
      serviceAccountName: plugin-barman-cloud
      containers:
      - image: plugin-barman-cloud:latest
@ -48,6 +52,16 @@ spec:
        - mountPath: /client
          name: client
        resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 10001
+          runAsUser: 10001
+          seccompProfile:
+            type: RuntimeDefault
      volumes:
      - name: server
        secret:
--- a/manifest.yaml
+++ b/manifest.yaml
@ -871,11 +871,25 @@ spec:
          tcpSocket:
            port: 9090
        resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 10001
+          runAsUser: 10001
+          seccompProfile:
+            type: RuntimeDefault
        volumeMounts:
        - mountPath: /server
          name: server
        - mountPath: /client
          name: client
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
      serviceAccountName: plugin-barman-cloud
      volumes:
      - name: server