Fix PSA (#159)

Added missing securityContext entries to comply with Pod Security
Admission restricted mode (used when using linkerd-cni).

CHANGES.md

@@ -4,6 +4,7 @@
 
 - Allowed setting resource requirements for the smi-adaptor
 - Added ability to set `runAsUser` entry for the smi-adaptor
+- Fixed the smi-adaptor to run in Pod Security Admission's `restricted` level
 - Fixed `clusterDomain` config (it was being ignored)
 
 ## v0.2.6

charts/linkerd-smi/README.md

@@ -77,6 +77,7 @@ Kubernetes: `>=1.16.0-0`
 | namespaceMetadata.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for the namespace-metadata instance |
 | namespaceMetadata.image.registry | string | `"cr.l5d.io/linkerd"` | Docker registry for the namespace-metadata instance |
 | namespaceMetadata.image.tag | string | `"v0.1.0"` | Docker image tag for the namespace-metadata instance |
+| namespaceMetadata.runAsUser | int | `65534` | User ID for the namespace-metadata instance |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0)

charts/linkerd-smi/templates/adaptor.yaml

@@ -53,6 +53,17 @@ spec:
             cpu: {{ .cpu }}
             memory: {{ .memory }}
         {{- end }}
-      serviceAccountName: smi-adaptor
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: {{.Values.adaptor.runAsUser}}
+          seccompProfile:
+            type: RuntimeDefault
       securityContext:
-        runAsUser: {{.Values.adaptor.runAsUser}}
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: smi-adaptor

charts/linkerd-smi/templates/namespace-metadata.yaml

@@ -19,11 +19,24 @@ spec:
         app.kubernetes.io/version: {{.Values.adaptor.image.tag}}
     spec:
       restartPolicy: Never
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: namespace-metadata
       containers:
       - name: namespace-metadata
         image: {{.Values.namespaceMetadata.image.registry}}/{{.Values.namespaceMetadata.image.name}}:{{.Values.namespaceMetadata.image.tag}}
         imagePullPolicy: {{.Values.namespaceMetadata.image.pullPolicy }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: {{.Values.namespaceMetadata.runAsUser}}
+          seccompProfile:
+            type: RuntimeDefault
         args:
         - --extension
         - smi

charts/linkerd-smi/values.yaml

@@ -49,3 +49,6 @@ namespaceMetadata:
     tag: v0.1.0
     # -- Pull policy for the namespace-metadata instance
     pullPolicy: IfNotPresent
+
+  # -- User ID for the namespace-metadata instance
+  runAsUser: 65534

cli/cmd/testdata/install_default.golden

@@ -44,9 +44,20 @@ spec:
           limits:
             cpu: 100m
             memory: 20Mi
-      serviceAccountName: smi-adaptor
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 65534
+          seccompProfile:
+            type: RuntimeDefault
       securityContext:
-        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: smi-adaptor
 ---
 ###
 ### SMI Adaptor Service