From 35b659c1a599215f18cf8edba2479f005e925053 Mon Sep 17 00:00:00 2001
From: "Brad P. Crochet" <brad@redhat.com>
Date: Tue, 15 Nov 2022 11:32:00 -0500
Subject: [PATCH] Configure test pod to comply with Pod Security Standard

The test pod is not yet created in accordance with the Pod Security
Standard enforced in k8s 1.24. For compliance, the main pod security
context needs:

RunAsNonRoot: true
SeccompProfile:
  Type: RuntimeDefault

And each container needs:

SecurityContext:
  AllowPrivilegeEscalation: false
  Capabilities:
    Drop:
      'ALL'

Fixes #5939

Signed-off-by: Brad P. Crochet <brad@redhat.com>
---
 internal/cmd/operator-sdk/scorecard/cmd.go |  2 +-
 internal/scorecard/testpod.go              | 27 +++++++++++++++++++++-
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/internal/cmd/operator-sdk/scorecard/cmd.go b/internal/cmd/operator-sdk/scorecard/cmd.go
index df0253b30e..73cf9949c8 100644
--- a/internal/cmd/operator-sdk/scorecard/cmd.go
+++ b/internal/cmd/operator-sdk/scorecard/cmd.go
@@ -92,7 +92,7 @@ If the argument holds an image tag, it must be present remotely.`,
 		"docker.io/library/busybox@sha256:c71cb4f7e8ececaffb34037c2637dc86820e4185100e18b4d02d613a9bd772af",
 		"Storage image to be used by the Scorecard pod")
 	scorecardCmd.Flags().StringVarP(&c.untarImage, "untar-image", "u",
-		"registry.access.redhat.com/ubi8@sha256:910f6bc0b5ae9b555eb91b88d28d568099b060088616eba2867b07ab6ea457c7",
+		"registry.access.redhat.com/ubi8@sha256:83c0e63f5efb64cba26be647e93bf036b8d88b774f0726936c1b956424b1abf6",
 		"Untar image to be used by the Scorecard pod")
 	scorecardCmd.Flags().StringVarP(&c.testOutput, "test-output", "t", "test-output",
 		"Test output directory.")
diff --git a/internal/scorecard/testpod.go b/internal/scorecard/testpod.go
index d0793d3402..ef81565f35 100644
--- a/internal/scorecard/testpod.go
+++ b/internal/scorecard/testpod.go
@@ -35,7 +35,6 @@ const (
 // getPodDefinition fills out a Pod definition based on
 // information from the test
 func getPodDefinition(configMapName string, test v1alpha3.TestConfiguration, r PodTestRunner) *v1.Pod {
-
 	return &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      fmt.Sprintf("scorecard-test-%s", rand.String(4)),
@@ -71,6 +70,15 @@ func getPodDefinition(configMapName string, test v1alpha3.TestConfiguration, r P
 							},
 						},
 					},
+					SecurityContext: &v1.SecurityContext{
+						RunAsNonRoot:             &[]bool{true}[0],
+						AllowPrivilegeEscalation: &[]bool{false}[0],
+						Capabilities: &v1.Capabilities{
+							Drop: []v1.Capability{
+								"ALL",
+							},
+						},
+					},
 				},
 			},
 			InitContainers: []v1.Container{
@@ -97,6 +105,17 @@ func getPodDefinition(configMapName string, test v1alpha3.TestConfiguration, r P
 							ReadOnly:  false,
 						},
 					},
+					SecurityContext: &v1.SecurityContext{
+						RunAsUser:                &[]int64{1000}[0],
+						RunAsGroup:               &[]int64{1000}[0],
+						RunAsNonRoot:             &[]bool{true}[0],
+						AllowPrivilegeEscalation: &[]bool{false}[0],
+						Capabilities: &v1.Capabilities{
+							Drop: []v1.Capability{
+								"ALL",
+							},
+						},
+					},
 				},
 			},
 			Volumes: []v1.Volume{
@@ -117,6 +136,12 @@ func getPodDefinition(configMapName string, test v1alpha3.TestConfiguration, r P
 					},
 				},
 			},
+			SecurityContext: &v1.PodSecurityContext{
+				RunAsNonRoot: &[]bool{true}[0],
+				SeccompProfile: &v1.SeccompProfile{
+					Type: v1.SeccompProfileTypeRuntimeDefault,
+				},
+			},
 		},
 	}
 }