From 49b30bd93509874ce63b4e83e8bfc8bd69ea143c Mon Sep 17 00:00:00 2001 From: biswajit-9776 Date: Thu, 15 Aug 2024 20:22:35 +0530 Subject: [PATCH] Added securityContext to pipelines pods Signed-off-by: biswajit-9776 --- contrib/security/PSS/patches/cache-server.yaml | 17 +++++++++++++++++ .../kubeflow-pipelines-profile-controller.yaml | 17 +++++++++++++++++ .../PSS/patches/metadata-envoy-deployment.yaml | 17 +++++++++++++++++ .../PSS/patches/metadata-grpc-deployment.yaml | 17 +++++++++++++++++ .../security/PSS/patches/metadata-writer.yaml | 17 +++++++++++++++++ contrib/security/PSS/patches/minio.yaml | 17 +++++++++++++++++ .../patches/ml-pipeline-persistenceagent.yaml | 17 +++++++++++++++++ .../patches/ml-pipeline-scheduledworkflow.yaml | 17 +++++++++++++++++ .../security/PSS/patches/ml-pipeline-ui.yaml | 17 +++++++++++++++++ .../PSS/patches/ml-pipeline-viewer-crd.yaml | 17 +++++++++++++++++ .../ml-pipeline-visualizationserver.yaml | 17 +++++++++++++++++ contrib/security/PSS/patches/ml-pipeline.yaml | 17 +++++++++++++++++ contrib/security/PSS/patches/mysql.yaml | 17 +++++++++++++++++ 13 files changed, 221 insertions(+) create mode 100644 contrib/security/PSS/patches/cache-server.yaml create mode 100644 contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml create mode 100644 contrib/security/PSS/patches/metadata-envoy-deployment.yaml create mode 100644 contrib/security/PSS/patches/metadata-grpc-deployment.yaml create mode 100644 contrib/security/PSS/patches/metadata-writer.yaml create mode 100644 contrib/security/PSS/patches/minio.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline-ui.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline.yaml create mode 100644 contrib/security/PSS/patches/mysql.yaml diff --git a/contrib/security/PSS/patches/cache-server.yaml b/contrib/security/PSS/patches/cache-server.yaml new file mode 100644 index 0000000000..e62a8bcc49 --- /dev/null +++ b/contrib/security/PSS/patches/cache-server.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cache-server +spec: + template: + spec: + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml new file mode 100644 index 0000000000..9c29bfb9ab --- /dev/null +++ b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kubeflow-pipelines-profile-controller +spec: + template: + spec: + containers: + - name: profile-controller + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml new file mode 100644 index 0000000000..ff0370c0f5 --- /dev/null +++ b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metadata-envoy-deployment +spec: + template: + spec: + containers: + - name: container + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml new file mode 100644 index 0000000000..778f849a08 --- /dev/null +++ b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metadata-grpc-deployment +spec: + template: + spec: + containers: + - name: container + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/metadata-writer.yaml b/contrib/security/PSS/patches/metadata-writer.yaml new file mode 100644 index 0000000000..ada39a1bc1 --- /dev/null +++ b/contrib/security/PSS/patches/metadata-writer.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metadata-writer +spec: + template: + spec: + containers: + - name: main + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/minio.yaml b/contrib/security/PSS/patches/minio.yaml new file mode 100644 index 0000000000..0dc2a0e5fb --- /dev/null +++ b/contrib/security/PSS/patches/minio.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio +spec: + template: + spec: + containers: + - name: minio + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml new file mode 100644 index 0000000000..61aa1f2a69 --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-persistenceagent +spec: + template: + spec: + containers: + - name: ml-pipeline-persistenceagent + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml new file mode 100644 index 0000000000..72e8773638 --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-scheduledworkflow +spec: + template: + spec: + containers: + - name: ml-pipeline-scheduledworkflow + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-ui.yaml b/contrib/security/PSS/patches/ml-pipeline-ui.yaml new file mode 100644 index 0000000000..c3ce8228d5 --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline-ui.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-ui +spec: + template: + spec: + containers: + - name: ml-pipeline-ui + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml new file mode 100644 index 0000000000..cf52aef9e7 --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-viewer-crd +spec: + template: + spec: + containers: + - name: ml-pipeline-viewer-crd + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml new file mode 100644 index 0000000000..1673b60c66 --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-visualizationserver +spec: + template: + spec: + containers: + - name: ml-pipeline-visualizationserver + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline.yaml b/contrib/security/PSS/patches/ml-pipeline.yaml new file mode 100644 index 0000000000..67fc9a41f8 --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline +spec: + template: + spec: + containers: + - name: ml-pipeline-api-server + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/mysql.yaml b/contrib/security/PSS/patches/mysql.yaml new file mode 100644 index 0000000000..257264d6a3 --- /dev/null +++ b/contrib/security/PSS/patches/mysql.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mysql +spec: + template: + spec: + containers: + - name: mysql + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL