Fix Pod security for neuvector-updater-pod Cronjob
What does this MR do and why?
This MR was raised to address the issue described in #1978 (closed). The issue was also observed in some tests scenarios under !3483 (closed), where the CI jobs failed because:
Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "neuvector-updater-pod" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "neuvector-updater-pod" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "neuvector-updater-pod" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "neuvector-updater-pod" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")Taking into consideration the work that is being done under !3679 (merged), where the neuvector-cert-upgrader CronJob is being disabled, only the neuvector-updater-pod CronJob needs to be patched. The patch that was applied under this MR follows the same logic as the patches that are applied on other Sylva units. This would set the right securityContext on the container of the neuvector specific CronJob.
Also, with this MR, the existing patch on the resource was rewritten, in order to improve the readability of the code.
Related reference(s)
Closes #1978 (closed)
Test coverage
Since !140 is not yet merged, the changes were tested on a local CAPO environment. The behavior is the expected one, as it follows:
k --kubeconfig management-cluster-kubeconfig get cronjob -n neuvector neuvector-updater-pod -o yaml | grep securityContext -A9
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
seccompProfile:
type: RuntimeDefault
--
Also, the CronJob is running successfully:
All jobs processed. Report generated at cronjob_report.txt.
CronJob Test Report - Wed Jan 22 09:07:55 UTC 2025
------------------------------------
OK: Job fleet-cleanup-gitrepo-jobs-test-473bcb15 for cronjob fleet-cleanup-gitrepo-jobs in namespace cattle-fleet-system completed successfully.
OK: Job cluster-creator-renewal-test-473bcb15 for cronjob cluster-creator-renewal in namespace sylva-system completed successfully.
OK: Job cluster-garbage-collector-test-473bcb15 for cronjob cluster-garbage-collector in namespace sylva-system completed successfully.
OK: Job neuvector-updater-pod-test-473bcb15 for cronjob neuvector-updater-pod in namespace neuvector completed successfully.
OK: Job rke2-machineconfig-cleanup-cronjob-test-473bcb15 for cronjob rke2-machineconfig-cleanup-cronjob in namespace fleet-default completed successfully.CI configuration
Below you can choose test deployment variants to run in this MR's CI.
Click to open to CI configuration
Legend:
| Icon | Meaning | Available values |
|---|---|---|
| Infra Provider |
capd, capo, capm3
|
|
| Bootstrap Provider |
kubeadm (alias kadm), rke2
|
|
| Node OS |
ubuntu, suse
|
|
| Deployment Options |
light-deploy, oci, ha, misc
|
|
| Pipeline Scenarios |
rolling-update, mgmt-rolling-update, k8s-upgrade, sylva-upgrade, sylva-upgrade-from-x.x.X, simple-update, preview, nightly
|
-
🎬 preview☁️ capd🚀 kadm🐧 ubuntu🛠️ oci -
🎬 preview☁️ capo🚀 rke2🐧 suse -
🎬 preview☁️ capm3🚀 rke2🐧 ubuntu -
☁️ capd🚀 kubeadm🛠️ light-deploy🐧 ubuntu -
☁️ capd🚀 rke2🛠️ oci,light-deploy🐧 suse -
☁️ capo🚀 rke2🛠️ oci🐧 suse -
☁️ capo🚀 kadm🛠️ oci🐧 ubuntu -
☁️ capo🚀 rke2🎬 rolling-update🛠️ ha🐧 ubuntu -
☁️ capo🚀 kadm🎬 k8s-upgrade🐧 ubuntu -
☁️ capo🚀 rke2🎬 mgmt-rolling-update🛠️ ha,misc🐧 suse -
☁️ capo🚀 rke2🎬 sylva-upgrade🛠️ misc🐧 ubuntu -
☁️ capo🚀 rke2🛠️ misc🐧 suse -
☁️ capm3🚀 rke2🐧 suse -
☁️ capm3🚀 kadm🛠️ oci🐧 ubuntu -
☁️ capm3🚀 kadm🎬 mgmt-rolling-update🛠️ ha,misc🐧 ubuntu -
☁️ capm3🚀 rke2🎬 k8s-upgrade🐧 suse -
☁️ capm3🚀 kadm🎬 rolling-update🛠️ ha🐧 ubuntu -
☁️ capm3🚀 rke2🛠️ misc,ha🐧 suse -
☁️ capm3🚀 kadm🎬 rolling-update🛠️ ha🐧 suse
Be aware: after configuration change, pipeline is not triggered automatically.
Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.