Update securityContexts for pods

* Device-plugin does not need to mount /dev anymore.
* Set USER in Dockerfile.rtl-sdr
* Set securityContext for spawned rtl-sdr pod with:
  - runAsNonRoot: true
  - readOnlyRootFilesystem: true
  - runAsUser: 65532

Signed-off-by: Fredrik Lönnegren <[email protected]>

Author: frelon

Dockerfile.rtl-sdr

@@ -5,4 +5,5 @@ RUN mkdir /sysroot && \
     zypper --non-interactive --installroot /sysroot install -y rtl-sdr
 
 FROM scratch AS final
+USER 65532:65532
 COPY --from=build /sysroot /

config/device-plugin/device-plugin.yaml

@@ -37,14 +37,9 @@ spec:
         volumeMounts:
         - name: dp
           mountPath: /var/lib/kubelet/device-plugins
-        - name: dev
-          mountPath: /dev
       serviceAccountName: device-plugin
       terminationGracePeriodSeconds: 10
       volumes:
         - name: dp
           hostPath:
             path: /var/lib/kubelet/device-plugins
-        - name: dev
-          hostPath:
-            path: /dev

internal/controller/rtlsdrreceiver_controller.go

@@ -127,6 +127,9 @@ func (r *RtlSdrReceiverReconciler) createPod(ctx context.Context, receiver *radi
 
 	args = append(args, "-p", strconv.Itoa(listenPort))
 
+	t := true
+	userID := int64(65532)
+
 	pod.Name = receiver.Name
 	pod.Namespace = receiver.Namespace
 	pod.Spec = corev1.PodSpec{
@@ -142,6 +145,11 @@ func (r *RtlSdrReceiverReconciler) createPod(ctx context.Context, receiver *radi
 						RtlSdrResourceName: *resource.NewQuantity(1, resource.DecimalSI),
 					},
 				},
+				SecurityContext: &corev1.SecurityContext{
+					RunAsNonRoot:           &t,
+					ReadOnlyRootFilesystem: &t,
+					RunAsUser:              &userID,
+				},
 			},
 		},
 	}