[release-1.11] fix securityContext for Knative Service Pod (user-container and queue-proxy) (#14378)

* add seccompProfile to queue container security context

* run as non root by default

* update tests to expect new default run as nonroot

---------

Co-authored-by: Clay Kauzlaric <[email protected]>

Author: knative-prow-robot

pkg/apis/serving/v1/revision_defaults.go

@@ -208,6 +208,10 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
 		}
 	}
 
+	if psc.RunAsNonRoot == nil {
+		updatedSC.RunAsNonRoot = ptr.Bool(true)
+	}
+
 	if *updatedSC != (corev1.SecurityContext{}) {
 		container.SecurityContext = updatedSC
 	}

pkg/apis/serving/v1/revision_defaults_test.go

@@ -900,6 +900,7 @@ func TestRevisionDefaulting(t *testing.T) {
 						ReadinessProbe: defaultProbe,
 						Resources:      defaultResources,
 						SecurityContext: &corev1.SecurityContext{
+							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(false),
 							SeccompProfile: &corev1.SeccompProfile{
 								Type: corev1.SeccompProfileTypeRuntimeDefault,
@@ -913,6 +914,7 @@ func TestRevisionDefaulting(t *testing.T) {
 						Name:      "sidecar",
 						Resources: defaultResources,
 						SecurityContext: &corev1.SecurityContext{
+							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(false),
 							SeccompProfile: &corev1.SeccompProfile{
 								Type: corev1.SeccompProfileTypeRuntimeDefault,
@@ -925,6 +927,7 @@ func TestRevisionDefaulting(t *testing.T) {
 						Name:      "special-sidecar",
 						Resources: defaultResources,
 						SecurityContext: &corev1.SecurityContext{
+							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(true),
 							SeccompProfile: &corev1.SeccompProfile{
 								Type: corev1.SeccompProfileTypeRuntimeDefault,
@@ -938,6 +941,7 @@ func TestRevisionDefaulting(t *testing.T) {
 					InitContainers: []corev1.Container{{
 						Name: "special-init",
 						SecurityContext: &corev1.SecurityContext{
+							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(true),
 							SeccompProfile: &corev1.SeccompProfile{
 								Type:             corev1.SeccompProfileTypeLocalhost,
@@ -1000,6 +1004,7 @@ func TestRevisionDefaulting(t *testing.T) {
 						ReadinessProbe: defaultProbe,
 						Resources:      defaultResources,
 						SecurityContext: &corev1.SecurityContext{
+							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(false),
 							Capabilities: &corev1.Capabilities{
 								Drop: []corev1.Capability{"ALL"},
@@ -1009,6 +1014,7 @@ func TestRevisionDefaulting(t *testing.T) {
 					InitContainers: []corev1.Container{{
 						Name: "init",
 						SecurityContext: &corev1.SecurityContext{
+							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(false),
 							Capabilities: &corev1.Capabilities{
 								Drop: []corev1.Capability{"ALL"},

pkg/reconciler/revision/resources/queue.go

@@ -86,6 +86,9 @@ var (
 		Capabilities: &corev1.Capabilities{
 			Drop: []corev1.Capability{"ALL"},
 		},
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
 	}
 )