Feat: 771 remove unnecessary security concerns (#926)

* feat: reduce privileges granted through SCC for OpenShift Signed-off-by: Bastien Grasnick <bastien.grasnick@deutschebahn.com> * feat: set mounted volumes as read only as much as possible Signed-off-by: Bastien Grasnick <bastien.grasnick@deutschebahn.com> * feat: set pod hostPID to true to avoid collisions/unwanted behavior in host PID namespace Signed-off-by: Bastien Grasnick <bastien.grasnick@deutschebahn.com> * feat: remove unnecessary mount of /sys/kernel/debug Signed-off-by: Bastien Grasnick <bastien.grasnick@deutschebahn.com> --------- Signed-off-by: Bastien Grasnick <bastien.grasnick@deutschebahn.com>
sustainable-computing-io · Nov 1, 2023 · 877a59a · 877a59a
1 parent d8a48f4
commit 877a59a
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 10 deletions.
diff --git a/manifests/config/exporter/exporter.yaml b/manifests/config/exporter/exporter.yaml
@@ -55,6 +55,7 @@ spec:
         key: node-role.kubernetes.io/master
       dnsPolicy: ClusterFirstWithHostNet
       serviceAccountName: kepler-sa
+      hostPID: true
       containers:
       - name: kepler-exporter
         image: kepler:latest
@@ -86,8 +87,10 @@ spec:
         volumeMounts:
         - mountPath: /lib/modules
           name: lib-modules
+          readOnly: true
         - mountPath: /sys
           name: tracing
+          readOnly: true
         - mountPath: /proc
           name: proc
         - mountPath: /var/run

diff --git a/manifests/config/exporter/openshift_scc.yaml b/manifests/config/exporter/openshift_scc.yaml
@@ -6,9 +6,9 @@ metadata:
 # To allow running privilegedContainers
 allowPrivilegedContainer: true
 allowHostDirVolumePlugin: true
-allowHostNetwork: true
-allowHostPorts: true
-allowHostIPC: true
+allowHostNetwork: false
+allowHostPorts: false
+allowHostIPC: false
 allowHostPID: true
 readOnlyRootFilesystem: true
 defaultAddCapabilities:

diff --git a/manifests/config/exporter/patch/patch-openshift.yaml b/manifests/config/exporter/patch/patch-openshift.yaml
@@ -19,15 +19,10 @@ spec:
         volumeMounts:
         - name: kernel-src
           mountPath: /usr/src/kernels
-        - name: kernel-debug
-          mountPath: /sys/kernel/debug
+          readOnly: true
         securityContext:
           privileged: true
-      volumes:      
-      - name: kernel-debug
-        hostPath:
-          path: /sys/kernel/debug
-          type: Directory
+      volumes:
       - name: kernel-src
         hostPath:
           path: /usr/src/kernels