From 305fc363fa889763ca6c9a9461b87c89ca32cbb9 Mon Sep 17 00:00:00 2001 From: Harshvir Potpose Date: Sun, 16 Mar 2025 14:18:54 +0530 Subject: [PATCH 1/2] fix pss warnings Signed-off-by: Harshvir Potpose --- manifests/v1beta1/components/controller/controller.yaml | 9 +++++++++ manifests/v1beta1/components/db-manager/db-manager.yaml | 9 +++++++++ manifests/v1beta1/components/mysql/mysql.yaml | 9 +++++++++ manifests/v1beta1/components/ui/ui.yaml | 9 +++++++++ 4 files changed, 36 insertions(+) diff --git a/manifests/v1beta1/components/controller/controller.yaml b/manifests/v1beta1/components/controller/controller.yaml index c6f97b5f189..3dced6f64f0 100644 --- a/manifests/v1beta1/components/controller/controller.yaml +++ b/manifests/v1beta1/components/controller/controller.yaml @@ -58,6 +58,15 @@ spec: name: katib-config subPath: katib-config.yaml readOnly: true + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL volumes: - name: cert secret: diff --git a/manifests/v1beta1/components/db-manager/db-manager.yaml b/manifests/v1beta1/components/db-manager/db-manager.yaml index f4e6e455b0b..7a66172e996 100644 --- a/manifests/v1beta1/components/db-manager/db-manager.yaml +++ b/manifests/v1beta1/components/db-manager/db-manager.yaml @@ -40,3 +40,12 @@ spec: initialDelaySeconds: 10 periodSeconds: 60 failureThreshold: 5 + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL diff --git a/manifests/v1beta1/components/mysql/mysql.yaml b/manifests/v1beta1/components/mysql/mysql.yaml index 5a8179f66b5..12c2014ee50 100644 --- a/manifests/v1beta1/components/mysql/mysql.yaml +++ b/manifests/v1beta1/components/mysql/mysql.yaml @@ -68,6 +68,15 @@ spec: volumeMounts: - name: katib-mysql mountPath: /var/lib/mysql + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL volumes: - name: katib-mysql persistentVolumeClaim: diff --git a/manifests/v1beta1/components/ui/ui.yaml b/manifests/v1beta1/components/ui/ui.yaml index 4d07def4bac..6931fcc638d 100644 --- a/manifests/v1beta1/components/ui/ui.yaml +++ b/manifests/v1beta1/components/ui/ui.yaml @@ -33,4 +33,13 @@ spec: ports: - name: ui containerPort: 8080 + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL serviceAccountName: katib-ui From e17f0d2f9b2644c1723b8bae6ebf0e83d2db6cb5 Mon Sep 17 00:00:00 2001 From: Harshvir Potpose Date: Fri, 21 Mar 2025 18:29:32 +0530 Subject: [PATCH 2/2] fix mysql Signed-off-by: Harshvir Potpose --- manifests/v1beta1/components/mysql/mysql.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/manifests/v1beta1/components/mysql/mysql.yaml b/manifests/v1beta1/components/mysql/mysql.yaml index 12c2014ee50..2017754023d 100644 --- a/manifests/v1beta1/components/mysql/mysql.yaml +++ b/manifests/v1beta1/components/mysql/mysql.yaml @@ -20,6 +20,9 @@ spec: annotations: sidecar.istio.io/inject: "false" spec: + securityContext: + fsGroup: 999 + fsGroupChangePolicy: OnRootMismatch containers: - name: katib-mysql image: mysql:8.0.29 @@ -69,11 +72,12 @@ spec: - name: katib-mysql mountPath: /var/lib/mysql securityContext: - runAsNonRoot: true allowPrivilegeEscalation: false - runAsUser: 1000 seccompProfile: type: RuntimeDefault + runAsNonRoot: true + runAsUser: 999 + runAsGroup: 999 capabilities: drop: - ALL