security: set sticky bits on world-writable directories (#5971)

Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>

Author: zhangzujian

charts/kube-ovn-v2/templates/agent/agent-daemonset.yaml

@@ -55,7 +55,9 @@ spec:
         command:
           - sh
           - -xec
-          - iptables -V
+          - |
+            chmod +t /usr/local/sbin
+            iptables -V
         securityContext:
           allowPrivilegeEscalation: true
           capabilities:

charts/kube-ovn-v2/templates/ovs-ovn/ovs-ovn-daemonset.yaml

@@ -61,6 +61,7 @@ spec:
             - sh
             - -xec
             - |
+              chmod +t /usr/local/sbin
               chown -R nobody: /var/run/ovn /var/log/ovn /etc/openvswitch /var/run/openvswitch /var/log/openvswitch
               iptables -V
               {{- if not .Values.ovsOvn.disableModulesManagement }}

charts/kube-ovn/templates/ovncni-ds.yaml

@@ -39,7 +39,9 @@ spec:
         command:
           - sh
           - -xec
-          - iptables -V
+          - |
+            chmod +t /usr/local/sbin
+            iptables -V
         securityContext:
           allowPrivilegeEscalation: true
           capabilities:

charts/kube-ovn/templates/ovsovn-ds.yaml

@@ -48,6 +48,7 @@ spec:
             - sh
             - -xec
             - |
+              chmod +t /usr/local/sbin
               chown -R nobody: /var/run/ovn /var/log/ovn /etc/openvswitch /var/run/openvswitch /var/log/openvswitch
               iptables -V
               {{- if not .Values.DISABLE_MODULES_MANAGEMENT }}

dist/images/install.sh

@@ -4300,6 +4300,7 @@ spec:
             - sh
             - -xec
             - |
+              chmod +t /usr/local/sbin
               chown -R nobody: /var/run/ovn /var/log/ovn /etc/openvswitch /var/run/openvswitch /var/log/openvswitch
               iptables -V
               /usr/share/openvswitch/scripts/ovs-ctl load-kmod
@@ -4902,7 +4903,9 @@ spec:
         command:
           - sh
           - -xec
-          - iptables -V
+          - |
+            chmod +t /usr/local/sbin
+            iptables -V
         securityContext:
           allowPrivilegeEscalation: true
           capabilities:

pkg/controller/vpc_egress_gateway.go

@@ -463,8 +463,12 @@ func (c *Controller) reconcileVpcEgressGatewayWorkload(gw *kubeovnv1.VpcEgressGa
 						Name:            "init",
 						Image:           image,
 						ImagePullPolicy: corev1.PullIfNotPresent,
-						Command:         []string{"bash", "/kube-ovn/init-vpc-egress-gateway.sh"},
-						Env:             initEnv,
+						Command: []string{
+							"bash",
+							"-exc",
+							"chmod +t /usr/local/sbin && bash /kube-ovn/init-vpc-egress-gateway.sh",
+						},
+						Env: initEnv,
 						SecurityContext: &corev1.SecurityContext{
 							Privileged: ptr.To(true),
 						},
@@ -491,6 +495,11 @@ func (c *Controller) reconcileVpcEgressGatewayWorkload(gw *kubeovnv1.VpcEgressGa
 							MountPath: "/usr/local/sbin",
 						}},
 					}},
+					SecurityContext: &corev1.PodSecurityContext{
+						SeccompProfile: &corev1.SeccompProfile{
+							Type: corev1.SeccompProfileTypeRuntimeDefault,
+						},
+					},
 					Volumes: []corev1.Volume{{
 						Name: "usr-local-sbin",
 						VolumeSource: corev1.VolumeSource{