From f118a887e56c3baffb5bb729d4d33fddba171f49 Mon Sep 17 00:00:00 2001
From: Keita Mochizuki <37737691+mochizuki875@users.noreply.github.com>
Date: Wed, 24 May 2023 20:16:49 +0900
Subject: [PATCH] Fix: Restricted profile comply with PSS (#117543)

* restricted profile comply with PSA v1.27

* add test case

* Reflect review comments

* Reflect review comments 2

* Reflect review comments 3

Kubernetes-commit: 0813904404034fd760d8e7e1e3ca5444610a7fa8
---
 pkg/cmd/debug/debug_test.go    |  8 +++++++-
 pkg/cmd/debug/profiles.go      | 30 ++++++++++++++++++++++++++++++
 pkg/cmd/debug/profiles_test.go |  8 ++++++++
 3 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/pkg/cmd/debug/debug_test.go b/pkg/cmd/debug/debug_test.go
index 8d92dc772..3febf5210 100644
--- a/pkg/cmd/debug/debug_test.go
+++ b/pkg/cmd/debug/debug_test.go
@@ -289,6 +289,8 @@ func TestGenerateDebugContainer(t *testing.T) {
 						Capabilities: &corev1.Capabilities{
 							Drop: []corev1.Capability{"ALL"},
 						},
+						AllowPrivilegeEscalation: pointer.Bool(false),
+						SeccompProfile:           &corev1.SeccompProfile{Type: "RuntimeDefault"},
 					},
 				},
 			},
@@ -1274,10 +1276,12 @@ func TestGeneratePodCopyWithDebugContainer(t *testing.T) {
 							Image:           "busybox",
 							ImagePullPolicy: corev1.PullIfNotPresent,
 							SecurityContext: &corev1.SecurityContext{
+								RunAsNonRoot: pointer.Bool(true),
 								Capabilities: &corev1.Capabilities{
 									Drop: []corev1.Capability{"ALL"},
 								},
-								RunAsNonRoot: pointer.Bool(true),
+								AllowPrivilegeEscalation: pointer.Bool(false),
+								SeccompProfile:           &corev1.SeccompProfile{Type: "RuntimeDefault"},
 							},
 						},
 					},
@@ -1646,6 +1650,8 @@ func TestGenerateNodeDebugPod(t *testing.T) {
 								Capabilities: &corev1.Capabilities{
 									Drop: []corev1.Capability{"ALL"},
 								},
+								AllowPrivilegeEscalation: pointer.Bool(false),
+								SeccompProfile:           &corev1.SeccompProfile{Type: "RuntimeDefault"},
 							},
 						},
 					},
diff --git a/pkg/cmd/debug/profiles.go b/pkg/cmd/debug/profiles.go
index 3684478d5..656f92bf8 100644
--- a/pkg/cmd/debug/profiles.go
+++ b/pkg/cmd/debug/profiles.go
@@ -176,6 +176,8 @@ func (p *restrictedProfile) Apply(pod *corev1.Pod, containerName string, target
 	clearSecurityContext(pod, containerName)
 	disallowRoot(pod, containerName)
 	dropCapabilities(pod, containerName)
+	disallowPrivilegeEscalation(pod, containerName)
+	setSeccompProfile(pod, containerName)
 
 	switch style {
 	case podCopy:
@@ -343,3 +345,31 @@ func addCapability(c *corev1.Container, capability corev1.Capability) {
 	}
 	c.SecurityContext.Capabilities.Add = append(c.SecurityContext.Capabilities.Add, capability)
 }
+
+// disallowPrivilegeEscalation configures the containers not allowed PrivilegeEscalation
+func disallowPrivilegeEscalation(p *corev1.Pod, containerName string) {
+	podutils.VisitContainers(&p.Spec, podutils.AllContainers, func(c *corev1.Container, _ podutils.ContainerType) bool {
+		if c.Name != containerName {
+			return true
+		}
+		if c.SecurityContext == nil {
+			c.SecurityContext = &corev1.SecurityContext{}
+		}
+		c.SecurityContext.AllowPrivilegeEscalation = pointer.Bool(false)
+		return false
+	})
+}
+
+// setSeccompProfile apply SeccompProfile to the containers
+func setSeccompProfile(p *corev1.Pod, containerName string) {
+	podutils.VisitContainers(&p.Spec, podutils.AllContainers, func(c *corev1.Container, _ podutils.ContainerType) bool {
+		if c.Name != containerName {
+			return true
+		}
+		if c.SecurityContext == nil {
+			c.SecurityContext = &corev1.SecurityContext{}
+		}
+		c.SecurityContext.SeccompProfile = &corev1.SeccompProfile{Type: "RuntimeDefault"}
+		return false
+	})
+}
diff --git a/pkg/cmd/debug/profiles_test.go b/pkg/cmd/debug/profiles_test.go
index a397fa272..fa45f5105 100644
--- a/pkg/cmd/debug/profiles_test.go
+++ b/pkg/cmd/debug/profiles_test.go
@@ -347,6 +347,8 @@ func TestRestrictedProfile(t *testing.T) {
 								Capabilities: &corev1.Capabilities{
 									Drop: []corev1.Capability{"ALL"},
 								},
+								AllowPrivilegeEscalation: pointer.Bool(false),
+								SeccompProfile:           &corev1.SeccompProfile{Type: "RuntimeDefault"},
 							},
 						},
 					},
@@ -386,6 +388,8 @@ func TestRestrictedProfile(t *testing.T) {
 								Capabilities: &corev1.Capabilities{
 									Drop: []corev1.Capability{"ALL"},
 								},
+								AllowPrivilegeEscalation: pointer.Bool(false),
+								SeccompProfile:           &corev1.SeccompProfile{Type: "RuntimeDefault"},
 							},
 						},
 					},
@@ -404,6 +408,8 @@ func TestRestrictedProfile(t *testing.T) {
 								Capabilities: &corev1.Capabilities{
 									Add: []corev1.Capability{"ALL"},
 								},
+								AllowPrivilegeEscalation: pointer.Bool(false),
+								SeccompProfile:           &corev1.SeccompProfile{Type: "RuntimeDefault"},
 							},
 						},
 					},
@@ -423,6 +429,8 @@ func TestRestrictedProfile(t *testing.T) {
 								Capabilities: &corev1.Capabilities{
 									Drop: []corev1.Capability{"ALL"},
 								},
+								AllowPrivilegeEscalation: pointer.Bool(false),
+								SeccompProfile:           &corev1.SeccompProfile{Type: "RuntimeDefault"},
 							},
 						},
 					},