Merge pull request #8491 from reasonerjt/restore-help-secctx

Add SecurityContext to restore-helper
2024-12-06 10:27:36 -05:00 · 2024-12-06 10:27:36 -05:00 · b588dc926d
parent aa7ca15159 4b7f93189d
commit b588dc926d
3 changed files with 44 additions and 5 deletions
--- a/changelogs/unreleased/8491-reasonerjt
+++ b/changelogs/unreleased/8491-reasonerjt
@ -0,0 +1 @@
+Add SecurityContext to restore-helper
--- a/pkg/restore/actions/pod_volume_restore_action.go
+++ b/pkg/restore/actions/pod_volume_restore_action.go
@ -21,6 +21,8 @@ import (
 	"fmt"
 	"strings"

+	"github.com/vmware-tanzu/velero/pkg/util/boolptr"
+
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
@ -44,6 +46,7 @@ const (
 	defaultCPURequestLimit = "100m"
 	defaultMemRequestLimit = "128Mi"
 	defaultCommand         = "/velero-restore-helper"
+	restoreHelperUID       = 1000
 )

 type PodVolumeRestoreAction struct {
@ -143,9 +146,15 @@ func (a *PodVolumeRestoreAction) Execute(input *velero.RestoreItemActionExecuteI

 	runAsUser, runAsGroup, allowPrivilegeEscalation, secCtx := getSecurityContext(log, config)

-	securityContext, err := kube.ParseSecurityContext(runAsUser, runAsGroup, allowPrivilegeEscalation, secCtx)
-	if err != nil {
-		log.Errorf("Using default securityContext values, couldn't parse securityContext requirements: %s.", err)
+	var securityContext corev1.SecurityContext
+	if runAsUser == "" && runAsGroup == "" && allowPrivilegeEscalation == "" && secCtx == "" {
+		securityContext = defaultSecurityCtx()
+	} else {
+		securityContext, err = kube.ParseSecurityContext(runAsUser, runAsGroup, allowPrivilegeEscalation, secCtx)
+		if err != nil {
+			log.Errorf("Using default securityContext values, couldn't parse securityContext requirements: %s.", err)
+			securityContext = defaultSecurityCtx()
+		}
 	}

 	initContainerBuilder := newRestoreInitContainerBuilder(image, string(input.Restore.UID))
@ -282,3 +291,20 @@ func newRestoreInitContainerBuilder(image, restoreUID string) *builder.Container
 			},
 		}...)
 }
+
+// defaultSecurityCtx returns a default security context for the init container, which has the level "restricted" per
+// Pod Security Standards.
+func defaultSecurityCtx() corev1.SecurityContext {
+	uid := int64(restoreHelperUID)
+	return corev1.SecurityContext{
+		AllowPrivilegeEscalation: boolptr.False(),
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+		RunAsUser:    &uid,
+		RunAsNonRoot: boolptr.True(),
+	}
+}
--- a/pkg/restore/actions/pod_volume_restore_action_test.go
+++ b/pkg/restore/actions/pod_volume_restore_action_test.go
@ -20,6 +20,8 @@ import (
 	"sort"
 	"testing"

+	"github.com/vmware-tanzu/velero/pkg/util/boolptr"
+
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@ -113,8 +115,18 @@ func TestPodVolumeRestoreActionExecute(t *testing.T) {
 		defaultCPURequestLimit, defaultMemRequestLimit, // requests
 		defaultCPURequestLimit, defaultMemRequestLimit, // limits
 	)
-
-	securityContext, _ := kube.ParseSecurityContext("", "", "", "")
+	id := int64(1000)
+	securityContext := corev1api.SecurityContext{
+		AllowPrivilegeEscalation: boolptr.False(),
+		Capabilities: &corev1api.Capabilities{
+			Drop: []corev1api.Capability{"ALL"},
+		},
+		SeccompProfile: &corev1api.SeccompProfile{
+			Type: corev1api.SeccompProfileTypeRuntimeDefault,
+		},
+		RunAsUser:    &id,
+		RunAsNonRoot: boolptr.True(),
+	}

 	var (
 		restoreName = "my-restore"