fix(security): support restricted pod security standard

[ebaron]

The primary difficulty with this fix is that OpenShift < 4.11 does not permit you to set seccompProfile by default. Following the discussion in redhat-openshift-ecosystem/community-operators-prod#1417, I decided to take the following approach with this PR.

For the operator deployment:

• Set runAsNonRoot and seccompProfile in the pod security context. This is not backwards compatible with OpenShift < 4.11. In the downstream release, we will have to remove seccompProfile to support these versions. The restricted-v2 Security Context Constraint (SCC) will set the seccompProfile for us when it is necessary. The alternative is not being compliant on standard Kubernetes, which does not have a SCC mechanism. The end result will be upstream releases will continue to work on Kubernetes 1.19, and OpenShift >= 4.11. Downstream releases will continue to work on OpenShift >= 4.6.
• Drop all capabilities and disallow privilege escalation.

For the operand deployments:

• Set runAsNonRoot and if not running on OpenShift, set seccompProfile. This preserves backwards compatibility, and relies on the restricted-v2 SCC to set seccompProfile in OpenShift >= 4.11.
• Drop all capabilities and disallow privilege escalation.

Fixes: #404

[andrewazores]

Code seems to make sense and works as expected with a basic manual run. I'll let @tthvo sign off.

[tthvo]

Looks great! From some readings, I did manual runs on Openshift 4.11.1 & 4.10.18 and Minikube 1.26.0. It worked well! I just have a couple questions:

1. Our sample apps seem not to deployed in restricted-v2 (got an alert for violation but still allowed). I think the recipe still works because I logged in as kubeadmin. Maybe we could specify some field with oc new-app and update demo images?
2. For our custom scorecard tests, we create a namespace. I wonder if we should also test in a namespace which enforce restricted PSA? (not sure I understand the context right)
3. Maybe we could start testing our Cryostat CR in scorecard too to check if pods are admitted?

[tthvo]

I believe the security context set here for cryostat containers are default and will be overwritted from CR spec as in #446 ?

[ebaron]

Looks great! From some readings, I did manual runs on Openshift 4.11.1 & 4.10.18 and Minikube 1.26.0. It worked well! I just have a couple questions:

Did this work on 4.10.18? I expected the operator deployment would not be accepted because of the seccompProfile field.

1. Our sample apps seem not to deployed in `restricted-v2` (got an alert for violation but still allowed). I think the recipe still works because I logged in as kubeadmin. Maybe we could specify some field with `oc new-app` and update demo images?

I'm not sure if there's any parameters we could set for this in new-app. Another solution would be to add the deployment and service YAML manifests to our repo, and create them with $(CLUSTER_CLIENT) create -f. This would also avoid the dependency on oc instead of kubectl.

2. For our custom scorecard tests, we create a namespace. I wonder if we should also test in a namespace which enforce `restricted` PSA? (not sure I understand the context right)

That seems like a good idea. We should do that once operator-framework/operator-sdk#5939 is fixed.

3. Maybe we could start testing our Cryostat CR in scorecard too to check if pods are admitted?

Yes absolutely. The next scorecard test I want to write is one that creates the Cryostat CR and ensures that Cryostat starts properly.

[ebaron]

I believe the security context set here for cryostat containers are default and will be overwritted from CR spec as in #446 ?

That's right.

[ebaron]

@tthvo I created 3 new issues for each point in #450 (comment)

[tthvo]

@tthvo I created 3 new issues for each point in #450 (comment)

Great! I am excited to work on those :D

Did this work on 4.10.18? I expected the operator deployment would not be accepted because of the seccompProfile field.

Hmm right! I totally forgot that. Interestingly, Operator pod is actually admitted and launched in 4.10.18 with seccompProfile set.

[tthvo]

Hmm right! I totally forgot that. Interestingly, Operator pod is actually admitted and launched in 4.10.18 with seccompProfile set.

Editted: The default namespace should not used as SCC does not apply. Worked as expected on 4.10.18! Thanks for pointing me to this :D

https://docs.openshift.com/container-platform/4.11/authentication/managing-security-context-constraints.html#role-based-access-to-ssc_configuring-internal-oauth

[tthvo]

Looks great to me! Worked as expected :D