Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add securityContext definitions on container level #1673

Closed
wants to merge 4 commits into from

Conversation

rgarcia89
Copy link
Contributor

Deployment hardening by adding / updating the securityContext definitions on container level.

@Vad1mo
Copy link
Member

Vad1mo commented Jan 3, 2024

what are the default settings, if this is not set?

The reason I am asking is the implications of this change to backwards compatibility

@rgarcia89
Copy link
Contributor Author

@Vad1mo default values are as followed on container level:

privileged is false per default
allowPrivilegeEscalation is false if privileged is set to false
capabilties defaults to the set of capabilities granted by the container runtime

@Kajot-dev
Copy link
Contributor

Having that would partially solve the problem of non-compliance with restricted PodSecurityStandard, since it requires seccompProfile definition (see https://kubernetes.io/docs/concepts/security/pod-security-standards/#privileged) in 1.19+.
Could seccompProfile be added for k8s 1.19+ (using helm Capabilities)?

@Kajot-dev
Copy link
Contributor

@rgarcia89 initContainers also should have these and container from core-pre-upgrade-job.yaml should also have that.

If these changes would get merged (with seccompProfile and missing containers/initContainers) If seccompProfile I would favour this PR over my #1666, since all containers would comply with the most restrictive k8s security standard.

@rgarcia89
Copy link
Contributor Author

@Kajot-dev valid point. I will add the seccompProfile and also add the securityContext definition to the initContainers and the once I missed.

Signed-off-by: Raul Garcia Sanchez <[email protected]>
Signed-off-by: Raul Garcia Sanchez <[email protected]>
@Kajot-dev
Copy link
Contributor

@rgarcia89 Thanks, looks nice!

@rgarcia89
Copy link
Contributor Author

Perfect, so we only need to find a second reviewer.
Maybe @zyyw?

@MinerYang MinerYang self-requested a review January 15, 2024 03:26
@Vad1mo Vad1mo requested review from ywk253100 and zyyw January 17, 2024 12:08
@MinerYang
Copy link
Collaborator

MinerYang commented Jan 25, 2024

#456
Thanks @rgarcia89 for your contribution !
We are in review of this PR. Will merge it once it done

@Kajot-dev
Copy link
Contributor

Kajot-dev commented Feb 2, 2024

@rgarcia89 Would it be possible to add runAsNonRoot to securityContext one the pod scope since

@rgarcia89
Copy link
Contributor Author

@Kajot-dev sure - I just added them.

@MinerYang
Copy link
Collaborator

MinerYang commented Feb 6, 2024

Hi @rgarcia89 , @Kajot-dev

Thanks for both of your contributions on the PSP and security contexts. By reviewing both of pt-1763 and pr1666, I have a few thoughts combined with some of our downstream usage scenario:

  • how about we still expose a containerSecurityContext like @Kajot-dev provided in his PR. But not set for every container respectively, instead using only one settings for all containers in values.yaml, e.g. Values.containerSecurityContext
  • and for this containerSecurityContext settings, we have default values same in these two PRs to comply with PSP

I made a sample PR https://github.com/goharbor/harbor-helm/pull/1695/files for more details
How about we focus on this PR and I will close the other instead(#1666).

@rgarcia89
Copy link
Contributor Author

@MinerYang imho, I'm fine with both approaches. I'm fine with making them configurable through the values file, just as much as hardcoding them into the specific YAMLs. I opted for the latter initially, believing there isn't much reason for anyone to modify them. Nevertheless, if you prefer them to be modifiable, I propose we close my PR and proceed with yours. My main goal is to ensure that we integrate this into the Helm chart, regardless of the method ;)

@MinerYang
Copy link
Collaborator

MinerYang commented Feb 6, 2024

Thanks @rgarcia89 .
for now I think what we hard coding in the PR is enough for most of the cluster providers. But I still keep it as configurable in case of Kubernetes evolve these standards in the future and also make it more flexible.

@MinerYang
Copy link
Collaborator

Thanks @rgarcia89 !

Will close this PR and please help to review #1695 as we discussed.

@MinerYang MinerYang closed this Feb 21, 2024
@MinerYang MinerYang mentioned this pull request Feb 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants