fix: add missing seccompProfile to comply with restricted policy (argoproj-labs#1493)

* fix: add missing seccompProfile to comply with restricted policy

Signed-off-by: hamidos <ed.hamido@gmail.com>

* Add kuttl e2e test

Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>

* Fix kuttl test

Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>

---------

Signed-off-by: hamidos <ed.hamido@gmail.com>
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
Co-authored-by: Siddhesh Ghadi <sghadi1203@gmail.com>

Author: hamidos

bundle/manifests/argocd-operator.clusterserviceversion.yaml

@@ -1927,6 +1927,8 @@ spec:
                     - ALL
                   readOnlyRootFilesystem: true
                   runAsNonRoot: true
+                  seccompProfile:
+                    type: RuntimeDefault
               securityContext:
                 runAsNonRoot: true
               serviceAccountName: argocd-operator-controller-manager

config/default/manager_auth_proxy_patch.yaml

@@ -39,3 +39,5 @@ spec:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true 
           runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault

config/default/manager_config_patch.yaml

@@ -21,6 +21,8 @@ spec:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true 
            runAsNonRoot: true
+           seccompProfile:
+             type: RuntimeDefault 
       volumes:
       - name: manager-config
         configMap:

config/manager/manager.yaml

@@ -40,6 +40,8 @@ spec:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true 
           runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         livenessProbe:
           httpGet:
             path: /healthz

controllers/argocd/applicationset.go

@@ -355,6 +355,9 @@ func (r *ReconcileArgoCD) applicationSetContainer(cr *argoproj.ArgoCD, addSCMGit
 			AllowPrivilegeEscalation: boolPtr(false),
 			ReadOnlyRootFilesystem:   boolPtr(true),
 			RunAsNonRoot:             boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 	}
 	if addSCMGitlabVolumeMount {

controllers/argocd/dex.go

@@ -271,6 +271,9 @@ func (r *ReconcileArgoCD) reconcileDexDeployment(cr *argoproj.ArgoCD) error {
 				},
 			},
 			RunAsNonRoot: boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: []corev1.VolumeMount{{
 			Name:      "static-files",
@@ -298,6 +301,9 @@ func (r *ReconcileArgoCD) reconcileDexDeployment(cr *argoproj.ArgoCD) error {
 				},
 			},
 			RunAsNonRoot: boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: []corev1.VolumeMount{{
 			Name:      "static-files",

controllers/argocd/dex_test.go

@@ -280,6 +280,9 @@ func TestReconcileArgoCD_reconcileDexDeployment(t *testing.T) {
 						},
 					},
 					RunAsNonRoot: boolPtr(true),
+					SeccompProfile: &corev1.SeccompProfile{
+						Type: "RuntimeDefault",
+					},
 				},
 				VolumeMounts: []corev1.VolumeMount{
 					{
@@ -330,6 +333,9 @@ func TestReconcileArgoCD_reconcileDexDeployment(t *testing.T) {
 						},
 					},
 					RunAsNonRoot: boolPtr(true),
+					SeccompProfile: &corev1.SeccompProfile{
+						Type: "RuntimeDefault",
+					},
 				},
 				VolumeMounts: []corev1.VolumeMount{
 					{Name: "static-files", MountPath: "/shared"},
@@ -401,6 +407,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) {
 								},
 							},
 							RunAsNonRoot: boolPtr(true),
+							SeccompProfile: &corev1.SeccompProfile{
+								Type: "RuntimeDefault",
+							},
 						},
 						VolumeMounts: []corev1.VolumeMount{
 							{
@@ -451,6 +460,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) {
 								},
 							},
 							RunAsNonRoot: boolPtr(true),
+							SeccompProfile: &corev1.SeccompProfile{
+								Type: "RuntimeDefault",
+							},
 						},
 						VolumeMounts: []corev1.VolumeMount{
 							{Name: "static-files", MountPath: "/shared"},
@@ -514,6 +526,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) {
 								},
 							},
 							RunAsNonRoot: boolPtr(true),
+							SeccompProfile: &corev1.SeccompProfile{
+								Type: "RuntimeDefault",
+							},
 						},
 						VolumeMounts: []corev1.VolumeMount{
 							{
@@ -577,6 +592,9 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) {
 								},
 							},
 							RunAsNonRoot: boolPtr(true),
+							SeccompProfile: &corev1.SeccompProfile{
+								Type: "RuntimeDefault",
+							},
 						},
 						VolumeMounts: []corev1.VolumeMount{
 							{Name: "static-files", MountPath: "/shared"},

controllers/argocd/keycloak.go

@@ -236,6 +236,18 @@ func getKeycloakContainer(cr *argoproj.ArgoCD) corev1.Container {
 			{ContainerPort: 8443, Name: "https", Protocol: "TCP"},
 			{ContainerPort: 8888, Name: "ping", Protocol: "TCP"},
 		},
+		SecurityContext: &corev1.SecurityContext{
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{
+					"ALL",
+				},
+			},
+			AllowPrivilegeEscalation: boolPtr(false),
+			RunAsNonRoot:             boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
+		},
 		ReadinessProbe: &corev1.Probe{
 			TimeoutSeconds:      240,
 			InitialDelaySeconds: 120,
@@ -627,6 +639,18 @@ func newKeycloakDeployment(cr *argoproj.ArgoCD) *k8sappsv1.Deployment {
 								{Name: "http", ContainerPort: httpPort},
 								{Name: "https", ContainerPort: portTLS},
 							},
+							SecurityContext: &corev1.SecurityContext{
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{
+										"ALL",
+									},
+								},
+								AllowPrivilegeEscalation: boolPtr(false),
+								RunAsNonRoot:             boolPtr(true),
+								SeccompProfile: &corev1.SeccompProfile{
+									Type: "RuntimeDefault",
+								},
+							},
 							ReadinessProbe: &corev1.Probe{
 								ProbeHandler: corev1.ProbeHandler{
 									HTTPGet: &corev1.HTTPGetAction{

controllers/argocd/notifications.go

@@ -393,6 +393,9 @@ func (r *ReconcileArgoCD) reconcileNotificationsDeployment(cr *argoproj.ArgoCD,
 					"ALL",
 				},
 			},
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: []corev1.VolumeMount{
 			{

controllers/argocd/notifications_test.go

@@ -181,6 +181,9 @@ func TestReconcileNotifications_CreateDeployments(t *testing.T) {
 					"ALL",
 				},
 			},
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: []corev1.VolumeMount{
 			{

controllers/argocd/statefulset.go

@@ -198,6 +198,9 @@ func (r *ReconcileArgoCD) reconcileRedisStatefulSet(cr *argoproj.ArgoCD) error {
 					},
 				},
 				RunAsNonRoot: boolPtr(true),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: "RuntimeDefault",
+				},
 			},
 			VolumeMounts: []corev1.VolumeMount{
 				{
@@ -270,6 +273,9 @@ func (r *ReconcileArgoCD) reconcileRedisStatefulSet(cr *argoproj.ArgoCD) error {
 					},
 				},
 				RunAsNonRoot: boolPtr(true),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: "RuntimeDefault",
+				},
 			},
 			VolumeMounts: []corev1.VolumeMount{
 				{
@@ -332,6 +338,9 @@ func (r *ReconcileArgoCD) reconcileRedisStatefulSet(cr *argoproj.ArgoCD) error {
 				},
 			},
 			RunAsNonRoot: boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: []corev1.VolumeMount{
 			{
@@ -618,6 +627,9 @@ func (r *ReconcileArgoCD) reconcileApplicationControllerStatefulSet(cr *argoproj
 				},
 			},
 			RunAsNonRoot: boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: controllerVolumeMounts,
 	}}
@@ -703,6 +715,9 @@ func (r *ReconcileArgoCD) reconcileApplicationControllerStatefulSet(cr *argoproj
 					},
 				},
 				RunAsNonRoot: boolPtr(true),
+				SeccompProfile: &corev1.SeccompProfile{
+					Type: "RuntimeDefault",
+				},
 			},
 			VolumeMounts: getArgoImportVolumeMounts(),
 		}}

controllers/argocdexport/job.go

@@ -186,6 +186,9 @@ func newExportPodSpec(cr *argoproj.ArgoCDExport, argocdName string, client clien
 				},
 			},
 			RunAsNonRoot: boolPtr(true),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: "RuntimeDefault",
+			},
 		},
 		VolumeMounts: getArgoExportVolumeMounts(),
 	}}

deploy/olm-catalog/argocd-operator/0.12.0/argocd-operator.v0.12.0.clusterserviceversion.yaml

@@ -1927,6 +1927,8 @@ spec:
                     - ALL
                   readOnlyRootFilesystem: true
                   runAsNonRoot: true
+                  seccompProfile:
+                    type: RuntimeDefault
               securityContext:
                 runAsNonRoot: true
               serviceAccountName: argocd-operator-controller-manager

tests/k8s/1-042_restricted_pss_compliant/01-assert.yaml

@@ -0,0 +1,27 @@
+# test will fail on clusters with less than 3 nodes
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-1-042-restricted-pss-compliant
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: latest
+---
+apiVersion: argoproj.io/v1beta1
+kind: ArgoCD
+metadata:
+  name: argocd
+  namespace: test-1-042-restricted-pss-compliant
+status:
+  applicationController: Running
+  applicationSetController: Running
+  notificationsController: Running
+  phase: Available
+  redis: Running
+  repo: Running
+  server: Running
+  sso: Running

tests/k8s/1-042_restricted_pss_compliant/01-install-argocd-in-restricted-pss-ns copy.yaml

@@ -0,0 +1,28 @@
+# test will fail on clusters with less than 3 nodes
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-1-042-restricted-pss-compliant
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: latest
+---
+apiVersion: argoproj.io/v1beta1
+kind: ArgoCD
+metadata:
+  name: argocd
+  namespace: test-1-042-restricted-pss-compliant
+spec:
+  applicationSet:
+    enabled: true
+  notifications:
+    enabled: true
+  sso:
+    provider: dex
+    dex:
+      openShiftOAuth: true

tests/k8s/1-042_restricted_pss_compliant/02-check-pod.yaml

@@ -0,0 +1,11 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: sleep 10
+  - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-application-controller'
+  - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-applicationset-controller'
+  - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-dex-server'
+  - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-notifications-controller'
+  - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-redis'
+  - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-repo-server'
+  - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'argocd-server'

tests/k8s/1-042_restricted_pss_compliant/03-assert.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1beta1
+kind: ArgoCD
+metadata:
+  name: argocd
+  namespace: test-1-042-restricted-pss-compliant
+status:
+  applicationController: Running
+  phase: Available
+  redis: Running
+  repo: Running
+  server: Running
+  #sso: Running  # due to bug in keycloak service code, status remains as Pending
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keycloak
+  namespace: test-1-042-restricted-pss-compliant

tests/k8s/1-042_restricted_pss_compliant/03-enable-keycloak-sso.yaml

@@ -0,0 +1,17 @@
+apiVersion: argoproj.io/v1beta1
+kind: ArgoCD
+metadata:
+  name: argocd
+  namespace: test-1-042-restricted-pss-compliant
+spec:
+  sso:
+    provider: keycloak
+    keycloak:
+      verifyTLS: false
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    kubectl patch -n test-1-042-restricted-pss-compliant argocd/argocd --type='json' -p='[{"op": "remove", "path": "/spec/sso/dex"}]'
+

tests/k8s/1-042_restricted_pss_compliant/04-check-pod.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: sleep 10
+  - script: kubectl get pods -n test-1-042-restricted-pss-compliant | grep 'keycloak'

tests/k8s/1-042_restricted_pss_compliant/05-assert.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1beta1
+kind: ArgoCD
+metadata:
+  name: argocd
+  namespace: test-1-042-restricted-pss-compliant
+status:
+  applicationController: Running
+  #phase: Available
+  #redis: Running
+  repo: Running
+  server: Running
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: argocd-redis-ha-server
+  namespace: test-1-042-restricted-pss-compliant
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argocd-redis-ha-haproxy
+  namespace: test-1-042-restricted-pss-compliant
+

tests/k8s/1-042_restricted_pss_compliant/05-enable-redis-ha.yaml

@@ -0,0 +1,9 @@
+# test will fail on clusters with less than 3 nodes
+apiVersion: argoproj.io/v1beta1
+kind: ArgoCD
+metadata:
+  name: argocd
+  namespace: test-1-042-restricted-pss-compliant
+spec:
+  ha:
+    enabled: true