Enhance security context in deployment configurations by adding user and group settings, seccomp profiles, and disabling privilege escalation. Remove unnecessary logging flag from deployment arguments. Implement environment variable support for enabling Gateway API in main application logic.

Author: rajsinghtech

charts/homer-operator/templates/deployment.yaml

@@ -85,7 +85,6 @@ spec:
         args:
         - --secure-listen-address=0.0.0.0:8443
         - --upstream=http://127.0.0.1:8080/
-        - --logtostderr=true
         - --v=0
         ports:
         - containerPort: 8443

cmd/main.go

@@ -20,6 +20,7 @@ import (
 	"crypto/tls"
 	"flag"
 	"os"
+	"strconv"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
@@ -77,6 +78,13 @@ func main() {
 	opts.BindFlags(flag.CommandLine)
 	flag.Parse()
 
+	// Override enableGatewayAPI from environment variable if set
+	if envGateway := os.Getenv("ENABLE_GATEWAY_API"); envGateway != "" {
+		if parsed, err := strconv.ParseBool(envGateway); err == nil {
+			enableGatewayAPI = parsed
+		}
+	}
+
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
 	// if the enable-http2 flag is false (the default), http/2 should be disabled
@@ -143,13 +151,16 @@ func main() {
 		os.Exit(1)
 	}
 	if enableGatewayAPI {
+		setupLog.Info("Gateway API support enabled, setting up HTTPRoute controller")
 		if err = (&controller.HTTPRouteReconciler{
 			Client: mgr.GetClient(),
 			Scheme: mgr.GetScheme(),
 		}).SetupWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "HTTPRoute")
 			os.Exit(1)
 		}
+	} else {
+		setupLog.Info("Gateway API support disabled")
 	}
 	//+kubebuilder:scaffold:builder
 

pkg/homer/config.go

@@ -273,6 +273,15 @@ func CreateDeployment(name string, namespace string, replicas *int32, owner clie
 					},
 				},
 				Spec: corev1.PodSpec{
+					SecurityContext: &corev1.PodSecurityContext{
+						RunAsNonRoot: &[]bool{true}[0],
+						RunAsUser:    &[]int64{1000}[0],
+						RunAsGroup:   &[]int64{1000}[0],
+						FSGroup:      &[]int64{1000}[0],
+						SeccompProfile: &corev1.SeccompProfile{
+							Type: corev1.SeccompProfileTypeRuntimeDefault,
+						},
+					},
 					InitContainers: []corev1.Container{
 						{
 							Name:  "init-assets",
@@ -282,6 +291,18 @@ func CreateDeployment(name string, namespace string, replicas *int32, owner clie
 								"-c",
 								"cp /config/config.yml /www/assets/config.yml && chown -R 1000:1000 /www/assets && chmod -R 755 /www/assets",
 							},
+							SecurityContext: &corev1.SecurityContext{
+								AllowPrivilegeEscalation: &[]bool{false}[0],
+								RunAsNonRoot:             &[]bool{true}[0],
+								RunAsUser:                &[]int64{1000}[0],
+								RunAsGroup:               &[]int64{1000}[0],
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"ALL"},
+								},
+								SeccompProfile: &corev1.SeccompProfile{
+									Type: corev1.SeccompProfileTypeRuntimeDefault,
+								},
+							},
 							VolumeMounts: []corev1.VolumeMount{
 								{
 									Name:      "config-volume",
@@ -298,6 +319,18 @@ func CreateDeployment(name string, namespace string, replicas *int32, owner clie
 						{
 							Name:  name,
 							Image: image,
+							SecurityContext: &corev1.SecurityContext{
+								AllowPrivilegeEscalation: &[]bool{false}[0],
+								RunAsNonRoot:             &[]bool{true}[0],
+								RunAsUser:                &[]int64{1000}[0],
+								RunAsGroup:               &[]int64{1000}[0],
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"ALL"},
+								},
+								SeccompProfile: &corev1.SeccompProfile{
+									Type: corev1.SeccompProfileTypeRuntimeDefault,
+								},
+							},
 							VolumeMounts: []corev1.VolumeMount{
 								{
 									Name:      "assets-volume",
@@ -585,6 +618,15 @@ func CreateDeploymentWithAssets(name string, namespace string, replicas *int32,
 					},
 				},
 				Spec: corev1.PodSpec{
+					SecurityContext: &corev1.PodSecurityContext{
+						RunAsNonRoot: &[]bool{true}[0],
+						RunAsUser:    &[]int64{1000}[0],
+						RunAsGroup:   &[]int64{1000}[0],
+						FSGroup:      &[]int64{1000}[0],
+						SeccompProfile: &corev1.SeccompProfile{
+							Type: corev1.SeccompProfileTypeRuntimeDefault,
+						},
+					},
 					InitContainers: []corev1.Container{
 						{
 							Name:  "init-assets",
@@ -594,13 +636,37 @@ func CreateDeploymentWithAssets(name string, namespace string, replicas *int32,
 								"-c",
 								initCommand,
 							},
+							SecurityContext: &corev1.SecurityContext{
+								AllowPrivilegeEscalation: &[]bool{false}[0],
+								RunAsNonRoot:             &[]bool{true}[0],
+								RunAsUser:                &[]int64{1000}[0],
+								RunAsGroup:               &[]int64{1000}[0],
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"ALL"},
+								},
+								SeccompProfile: &corev1.SeccompProfile{
+									Type: corev1.SeccompProfileTypeRuntimeDefault,
+								},
+							},
 							VolumeMounts: initVolumeMounts,
 						},
 					},
 					Containers: []corev1.Container{
 						{
 							Name:  name,
 							Image: image,
+							SecurityContext: &corev1.SecurityContext{
+								AllowPrivilegeEscalation: &[]bool{false}[0],
+								RunAsNonRoot:             &[]bool{true}[0],
+								RunAsUser:                &[]int64{1000}[0],
+								RunAsGroup:               &[]int64{1000}[0],
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"ALL"},
+								},
+								SeccompProfile: &corev1.SeccompProfile{
+									Type: corev1.SeccompProfileTypeRuntimeDefault,
+								},
+							},
 							VolumeMounts: []corev1.VolumeMount{
 								{
 									Name:      "assets-volume",