make operator run as non root

ggkhrmv · ggkhrmv · commit 22cd5f51b8ba · 2024-11-14T20:35:00.000Z
Signed-off-by: Georgy Khromov &lt;gg.khrmv@gmail.com&gt;
diff --git a/api/v1alpha1/argocdrolebinding_types.go b/api/v1alpha1/argocdrolebinding_types.go
@@ -29,15 +29,16 @@ type ArgoCDRoleBindingSpec struct {
 	ArgoCDRoleRef ArgoCDRoleRef `json:"argocdRoleRef"`
 }
 
-// Kind of the subject (sso, local).
+// Subject defines the subject being bound to ArgoCDRole.
 type Subject struct {
 	// +kubebuilder:validation:Enum=sso;local;role
+	// Kind of the subject (sso, local or role).
 	Kind string `json:"kind"`
 	// Name of the subject. If Kind is "role", it shouldn't start with "role:"
 	Name string `json:"name"`
 }
 
-// argocdRoleRef defines the reference to the role being granted.
+// ArgocdRoleRef defines the reference to the role being granted.
 type ArgoCDRoleRef struct {
 	// Name of the ArgoCDRole. Should not start with "role:"
 	Name string `json:"name"`
diff --git a/config/crd/bases/rbac-operator.argoproj-labs.io_argocdrolebindings.yaml b/config/crd/bases/rbac-operator.argoproj-labs.io_argocdrolebindings.yaml
@@ -40,8 +40,8 @@ spec:
             description: ArgoCDRoleBindingSpec defines the desired state of ArgoCDRoleBinding
             properties:
               argocdRoleRef:
-                description: |- 
-                  argocdRoleRef defines the reference to the role being granted.
+                description: ArgocdRoleRef defines the reference to the role being
+                  granted.
                 properties:
                   name:
                     description: Name of the ArgoCDRole. Should not start with "role:"
@@ -52,9 +52,10 @@ spec:
               subjects:
                 description: List of subjects being bound to ArgoCDRole (argocdRoleRef).
                 items:
+                  description: Subject defines the subject being bound to ArgoCDRole.
                   properties:
                     kind:
-                      description: Kind of the subject (sso, local).
+                      description: Kind of the subject (sso, local or role).
                       enum:
                       - sso
                       - local
diff --git a/config/crd/bases/rbac-operator.argoproj-labs.io_argocdroles.yaml b/config/crd/bases/rbac-operator.argoproj-labs.io_argocdroles.yaml
@@ -40,12 +40,12 @@ spec:
             description: ArgoCDRoleSpec defines the desired state of Role
             properties:
               rules:
-                description: Rules define the desired set of permissions.
                 items:
+                  description: Rules define the desired set of permissions.
                   properties:
                     objects:
-                      description: |-
-                        List of resource's objects the permissions are granted for.
+                      description: List of resource's objects the permissions are
+                        granted for.
                       items:
                         type: string
                       type: array
@@ -65,8 +65,8 @@ spec:
                       - extensions
                       type: string
                     verbs:
-                      description: |-
-                        Verbs define the operations that are being performed on the resource.
+                      description: Verbs define the operations that are being performed
+                        on the resource.
                       items:
                         type: string
                       type: array
@@ -83,8 +83,8 @@ spec:
             description: ArgoCDRoleStatus defines the observed state of Role
             properties:
               argocdRoleBindingRef:
-                description: |-
-                  argocdRoleBindingRef defines the reference to the ArgoCDRoleBinding Resource.
+                description: argocdRoleBindingRef defines the reference to the ArgoCDRoleBinding
+                  Resource.
                 type: string
               conditions:
                 description: Conditions defines the list of conditions.
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: controller
-  newTag: latest
+  newName: quay.io/argoprojlabs/argocd-rbac-operator
+  newTag: v0.1.2
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -62,10 +62,14 @@ spec:
         image: controller:latest
         name: manager
         securityContext:
-          allowPrivilegeEscalation: false
           capabilities:
-            drop:
-            - "ALL"
+             drop:
+             - ALL
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true 
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         livenessProbe:
           httpGet:
             path: /healthz
