secureCodeBox#2939 Add configurable seccompProfile for lurker

Signed-off-by: Samreet Singh <samreet.singh@iteratec.com>

Author: Reet00

operator/controllers/execution/scans/scan_reconciler.go

@@ -288,6 +288,27 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanTypeSpe
 		return nil, fmt.Errorf("unknown imagePull Policy for lurker: %s", lurkerPullPolicyRaw)
 	}
 
+	seccompProfileRaw := os.Getenv("LURKER_SECCOMP_PROFILE")
+	var seccompProfile corev1.SeccompProfile
+	switch seccompProfileRaw {
+	case "Localhost":
+		seccompProfile = corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeLocalhost,}
+	case "RuntimeDefault":
+		seccompProfile = corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,}
+	case "Unconfined": 
+		seccompProfile = corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeUnconfined,}
+	case "":
+		seccompProfile = corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		}
+	default:
+		return nil, fmt.Errorf("unknown seccompProfile for lurker: %s", seccompProfileRaw)
+	}
+
+	r.Log.Info("Using Lurker Image", "seccompProfile", seccompProfileRaw)
 	falsePointer := false
 	truePointer := true
 
@@ -338,6 +359,9 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanTypeSpe
 			Capabilities: &corev1.Capabilities{
 				Drop: []corev1.Capability{"ALL"},
 			},
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: seccompProfile.Type,
+			},
 		},
 	}
 

operator/templates/manager/manager.yaml

@@ -123,6 +123,8 @@ spec:
               value: "{{ .Values.lurker.image.repository }}:{{ .Values.lurker.image.tag | default .Chart.Version }}"
             - name: LURKER_PULL_POLICY
               value: {{ .Values.lurker.image.pullPolicy }}
+            - name: LURKER_SECCOMP_PROFILE
+              value: {{ .Values.securityContext.seccompProfile.type }}
             {{- if .Values.customCACertificate.existingCertificate }}
             - name: CUSTOM_CA_CERTIFICATE_EXISTING_CERTIFICATE
               value: {{ .Values.customCACertificate.existingCertificate | quote }}

operator/tests/__snapshot__/operator_test.yaml.snap

@@ -68,6 +68,8 @@ matches the snapshot:
                   value: docker.io/securecodebox/lurker:0.0.0
                 - name: LURKER_PULL_POLICY
                   value: IfNotPresent
+                - name: LURKER_SECCOMP_PROFILE
+                  value: Unconfined
                 - name: CUSTOM_CA_CERTIFICATE_EXISTING_CERTIFICATE
                   value: foo
                 - name: CUSTOM_CA_CERTIFICATE_NAME
@@ -115,6 +117,8 @@ matches the snapshot:
                 privileged: false
                 readOnlyRootFilesystem: true
                 runAsNonRoot: true
+                seccompProfile:
+                  type: Unconfined
               volumeMounts:
                 - mountPath: /etc/ssl/certs/public.crt
                   name: ca-certificate
@@ -645,6 +649,8 @@ properly-renders-the-service-monitor-when-enabled:
                   value: docker.io/securecodebox/lurker:0.0.0
                 - name: LURKER_PULL_POLICY
                   value: IfNotPresent
+                - name: LURKER_SECCOMP_PROFILE
+                  value: Unconfined
                 - name: CUSTOM_CA_CERTIFICATE_EXISTING_CERTIFICATE
                   value: foo
                 - name: CUSTOM_CA_CERTIFICATE_NAME
@@ -692,6 +698,8 @@ properly-renders-the-service-monitor-when-enabled:
                 privileged: false
                 readOnlyRootFilesystem: true
                 runAsNonRoot: true
+                seccompProfile:
+                  type: Unconfined
               volumeMounts:
                 - mountPath: /etc/ssl/certs/public.crt
                   name: ca-certificate

operator/values.yaml

@@ -51,6 +51,9 @@ securityContext:
     drop:
       # securityContext.capabilities.drop[0] -- This drops all linux privileges from the operator container. They are not required
       - ALL
+  seccompProfile:
+    # securityContext.seccompProfile.type -- one of RuntimeDefault, Unconfined, Localhost
+    type: Unconfined
 
 # -- Sets the securityContext on the operators pod level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
 podSecurityContext: {}