Skip to content

Commit 1720be0

Browse files
authored
fix: codecov non-root-v2 SCC, pod security (#268)
Add nonroot-v2 SCC and fix pod security for restricted-v2 compatibility Codecov images require specific non-root UIDs to access their own files. * Grant nonroot-v2 SCC to the default service account and set runAsUser per container (1001 for api/worker, 1000 for frontend). * Add gateway initContainer to copy haproxy config to a writable emptyDir. Tested and validated on a public cluster with restricted-v2. Assisted-by: Cursor
1 parent 23745ef commit 1720be0

3 files changed

Lines changed: 53 additions & 8 deletions

File tree

components/codecov/base/rbac/kustomization.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
33
kind: Kustomization
44
resources:
55
- konflux-devprod-admins.yaml
6+
- scc-nonroot-v2.yaml
Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
---
2+
apiVersion: rbac.authorization.k8s.io/v1
3+
kind: ClusterRoleBinding
4+
metadata:
5+
name: codecov-nonroot-v2
6+
roleRef:
7+
apiGroup: rbac.authorization.k8s.io
8+
kind: ClusterRole
9+
name: system:openshift:scc:nonroot-v2
10+
subjects:
11+
- kind: ServiceAccount
12+
name: default
13+
namespace: codecov

components/codecov/internal-staging/codecov.yaml

Lines changed: 39 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,9 @@ spec:
2121
app: codecov
2222
component: api
2323
spec:
24+
securityContext:
25+
runAsUser: 1001
26+
runAsNonRoot: true
2427
containers:
2528
- name: api
2629
image: codecov/self-hosted-api:latest-calver
@@ -33,8 +36,6 @@ spec:
3336
limits:
3437
cpu: 500m
3538
memory: 512Mi
36-
securityContext:
37-
runAsNonRoot: true
3839
volumeMounts:
3940
- name: codecov-config
4041
mountPath: /config
@@ -88,6 +89,9 @@ spec:
8889
app: codecov
8990
component: worker
9091
spec:
92+
securityContext:
93+
runAsUser: 1001
94+
runAsNonRoot: true
9195
containers:
9296
- name: worker
9397
image: codecov/self-hosted-worker:latest-calver
@@ -101,8 +105,6 @@ spec:
101105
limits:
102106
cpu: 500m
103107
memory: 512Mi
104-
securityContext:
105-
runAsNonRoot: true
106108
volumeMounts:
107109
- name: codecov-config
108110
mountPath: /config
@@ -140,6 +142,9 @@ spec:
140142
app: codecov
141143
component: frontend
142144
spec:
145+
securityContext:
146+
runAsUser: 1000
147+
runAsNonRoot: true
143148
containers:
144149
- name: frontend
145150
image: codecov/self-hosted-frontend:latest-calver
@@ -152,8 +157,6 @@ spec:
152157
limits:
153158
cpu: 200m
154159
memory: 256Mi
155-
securityContext:
156-
runAsNonRoot: true
157160
env:
158161
- name: CODECOV_BASE_HOST
159162
valueFrom:
@@ -232,6 +235,24 @@ spec:
232235
app: codecov
233236
component: gateway
234237
spec:
238+
securityContext:
239+
runAsNonRoot: true
240+
initContainers:
241+
- name: copy-haproxy-config
242+
image: codecov/self-hosted-gateway:latest-calver
243+
command: ["sh", "-c", "cp -a /etc/haproxy/. /haproxy-config/"]
244+
securityContext:
245+
runAsNonRoot: true
246+
resources:
247+
requests:
248+
cpu: 10m
249+
memory: 32Mi
250+
limits:
251+
cpu: 100m
252+
memory: 64Mi
253+
volumeMounts:
254+
- name: haproxy-config
255+
mountPath: /haproxy-config
235256
containers:
236257
- name: gateway
237258
image: codecov/self-hosted-gateway:latest-calver
@@ -244,8 +265,6 @@ spec:
244265
limits:
245266
cpu: 200m
246267
memory: 128Mi
247-
securityContext:
248-
runAsNonRoot: true
249268
env:
250269
- name: CODECOV_GATEWAY_MINIO_ENABLED
251270
value: "true"
@@ -254,17 +273,29 @@ spec:
254273
volumeMounts:
255274
- name: codecov-config
256275
mountPath: /config
276+
- name: haproxy-config
277+
mountPath: /etc/haproxy
257278
- name: tmp
258279
mountPath: /tmp
280+
- name: haproxy-run
281+
mountPath: /var/run
282+
- name: haproxy-lib
283+
mountPath: /var/lib/haproxy
259284
volumes:
260285
- name: codecov-config
261286
secret:
262287
secretName: codecov-secrets
263288
items:
264289
- key: codecov-yml
265290
path: codecov.yml
291+
- name: haproxy-config
292+
emptyDir: {}
266293
- name: tmp
267294
emptyDir: {}
295+
- name: haproxy-run
296+
emptyDir: {}
297+
- name: haproxy-lib
298+
emptyDir: {}
268299
---
269300
apiVersion: v1
270301
kind: Service

0 commit comments

Comments
 (0)