From e1d76e46d396cf48747285db8ccc405dd691b148 Mon Sep 17 00:00:00 2001 From: Gerald Pape Date: Tue, 16 Apr 2024 15:39:38 +0200 Subject: [PATCH] fix(deploy) increase container security Change default values to run containers with read-only file system and non-root user for both kong and postgres deployments. Signed-off-by: Gerald Pape --- .kube-linter.yaml | 4 - charts/kong/CHANGELOG.md | 2 + charts/kong/README.md | 4 +- .../admin-api-service-clusterip-values.snap | 8 +- .../__snapshots__/custom-labels-values.snap | 9 ++- .../kong/ci/__snapshots__/default-values.snap | 9 ++- .../__snapshots__/kong-ingress-1-values.snap | 9 ++- .../__snapshots__/kong-ingress-2-values.snap | 9 ++- .../__snapshots__/kong-ingress-3-values.snap | 9 ++- .../__snapshots__/kong-ingress-4-values.snap | 9 ++- .../kong-ingress-5-3.1-rbac-values.snap | 9 ++- .../proxy-appprotocol-values.snap | 9 ++- .../ci/__snapshots__/service-account.snap | 9 ++- .../single-image-default-values.snap | 9 ++- ...est-enterprise-version-3.4.0.0-values.snap | 8 +- .../kong/ci/__snapshots__/test1-values.snap | 9 ++- .../kong/ci/__snapshots__/test2-values.snap | 75 +++++++++++++++++-- .../kong/ci/__snapshots__/test3-values.snap | 8 +- .../kong/ci/__snapshots__/test4-values.snap | 8 +- .../kong/ci/__snapshots__/test5-values.snap | 75 +++++++++++++++++-- charts/kong/values.yaml | 44 +++++++++-- 21 files changed, 298 insertions(+), 37 deletions(-) diff --git a/.kube-linter.yaml b/.kube-linter.yaml index 557af853e..8708288ee 100644 --- a/.kube-linter.yaml +++ b/.kube-linter.yaml @@ -1,8 +1,4 @@ checks: exclude: - # TODO: exclude no rule - # https://github.com/Kong/charts/issues/753 - - "no-read-only-root-fs" - - "run-as-non-root" - "unset-cpu-requirements" - "unset-memory-requirements" diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md index 63ded3833..025702872 100644 --- a/charts/kong/CHANGELOG.md +++ b/charts/kong/CHANGELOG.md @@ -11,6 +11,8 @@ for use when the external Service and container listens should differ, such as when terminating TLS at a LoadBalancer. [#1021](https://github.com/Kong/charts/pull/1021) +* Run containers with read-only file system and non-root user to increase container and pod security. + [#1057](https://github.com/Kong/charts/pull/1057) ## 2.38.0 diff --git a/charts/kong/README.md b/charts/kong/README.md index 3c5f3da05..ffa5bb3c7 100644 --- a/charts/kong/README.md +++ b/charts/kong/README.md @@ -898,11 +898,11 @@ On the Gateway release side, set either `admin.tls.client.secretName` to the nam | podDisruptionBudget.minAvailable | Represents the number of Pods that must be available (integer or percentage) | | | podSecurityPolicy.enabled | Enable podSecurityPolicy for Kong | `false` | | podSecurityPolicy.labels | Labels to add to podSecurityPolicy for Kong | `{}` | -| podSecurityPolicy.annotations | Annotations to add to podSecurityPolicy for Kong | `{}` | +| podSecurityPolicy.annotations | Annotations to add to podSecurityPolicy for Kong | `{ "seccomp.security.alpha.kubernetes.io/allowedProfileNames": "runtime/default" }` | | podSecurityPolicy.spec | Collection of [PodSecurityPolicy settings](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy) | | | priorityClassName | Set pod scheduling priority class for Kong pods | `""` | | secretVolumes | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]` | -| securityContext | Set the securityContext for Kong Pods | `{}` | +| securityContext | Set the securityContext for Kong Pods | See values.yaml | | containerSecurityContext | Set the securityContext for Containers | See values.yaml | | serviceMonitor.enabled | Create ServiceMonitor for Prometheus Operator | `false` | | serviceMonitor.interval | Scraping interval | `30s` | diff --git a/charts/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap b/charts/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap index 02b8de01d..8dcdd8a61 100644 --- a/charts/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap +++ b/charts/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap @@ -249,6 +249,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -324,6 +325,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -335,7 +337,11 @@ spec: name: chartsnap-kong-tmp - mountPath: /kong_dbless/ name: kong-custom-dbless-config-volume - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/custom-labels-values.snap b/charts/kong/ci/__snapshots__/custom-labels-values.snap index e73c0c346..2acdc3f9f 100644 --- a/charts/kong/ci/__snapshots__/custom-labels-values.snap +++ b/charts/kong/ci/__snapshots__/custom-labels-values.snap @@ -619,6 +619,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -728,6 +729,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -801,6 +803,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -810,7 +813,11 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/default-values.snap b/charts/kong/ci/__snapshots__/default-values.snap index 54e4ee155..f28cb84f4 100644 --- a/charts/kong/ci/__snapshots__/default-values.snap +++ b/charts/kong/ci/__snapshots__/default-values.snap @@ -608,6 +608,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -719,6 +720,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -794,6 +796,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -803,7 +806,11 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/kong-ingress-1-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-1-values.snap index 5b5c55d64..8085f3725 100644 --- a/charts/kong/ci/__snapshots__/kong-ingress-1-values.snap +++ b/charts/kong/ci/__snapshots__/kong-ingress-1-values.snap @@ -615,6 +615,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -724,6 +725,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -797,6 +799,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -806,7 +809,11 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/kong-ingress-2-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-2-values.snap index 0275e9e04..693055edf 100644 --- a/charts/kong/ci/__snapshots__/kong-ingress-2-values.snap +++ b/charts/kong/ci/__snapshots__/kong-ingress-2-values.snap @@ -615,6 +615,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -724,6 +725,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -797,6 +799,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -806,7 +809,11 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/kong-ingress-3-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-3-values.snap index 80e4ed5b1..45a47ea85 100644 --- a/charts/kong/ci/__snapshots__/kong-ingress-3-values.snap +++ b/charts/kong/ci/__snapshots__/kong-ingress-3-values.snap @@ -606,6 +606,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -715,6 +716,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -788,6 +790,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -797,7 +800,11 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/kong-ingress-4-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-4-values.snap index 7cc685071..433410597 100644 --- a/charts/kong/ci/__snapshots__/kong-ingress-4-values.snap +++ b/charts/kong/ci/__snapshots__/kong-ingress-4-values.snap @@ -624,6 +624,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -733,6 +734,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -806,6 +808,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -815,7 +818,11 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/kong-ingress-5-3.1-rbac-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-5-3.1-rbac-values.snap index b8b61c170..1fc393b67 100644 --- a/charts/kong/ci/__snapshots__/kong-ingress-5-3.1-rbac-values.snap +++ b/charts/kong/ci/__snapshots__/kong-ingress-5-3.1-rbac-values.snap @@ -608,6 +608,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -719,6 +720,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -794,6 +796,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -803,7 +806,11 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/proxy-appprotocol-values.snap b/charts/kong/ci/__snapshots__/proxy-appprotocol-values.snap index 570846774..1b2268a71 100644 --- a/charts/kong/ci/__snapshots__/proxy-appprotocol-values.snap +++ b/charts/kong/ci/__snapshots__/proxy-appprotocol-values.snap @@ -608,6 +608,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -717,6 +718,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -790,6 +792,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -799,7 +802,11 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/service-account.snap b/charts/kong/ci/__snapshots__/service-account.snap index 7a81a623e..0b2d503e4 100644 --- a/charts/kong/ci/__snapshots__/service-account.snap +++ b/charts/kong/ci/__snapshots__/service-account.snap @@ -606,6 +606,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -715,6 +716,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -788,6 +790,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -797,7 +800,11 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: my-kong-sa terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/single-image-default-values.snap b/charts/kong/ci/__snapshots__/single-image-default-values.snap index 8c7a35a5b..628d4120d 100644 --- a/charts/kong/ci/__snapshots__/single-image-default-values.snap +++ b/charts/kong/ci/__snapshots__/single-image-default-values.snap @@ -608,6 +608,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -719,6 +720,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -794,6 +796,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -803,7 +806,11 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap b/charts/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap index c0f12ec60..2222e743a 100644 --- a/charts/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap +++ b/charts/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap @@ -198,6 +198,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -269,6 +270,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -278,7 +280,11 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/test1-values.snap b/charts/kong/ci/__snapshots__/test1-values.snap index 6c24c1589..28a2ccb80 100644 --- a/charts/kong/ci/__snapshots__/test1-values.snap +++ b/charts/kong/ci/__snapshots__/test1-values.snap @@ -610,6 +610,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -730,6 +731,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -811,6 +813,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -836,7 +839,11 @@ spec: volumeMounts: - mountPath: /tmp/foo name: tmpdir - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/test2-values.snap b/charts/kong/ci/__snapshots__/test2-values.snap index 58a8dc023..3fd15db45 100644 --- a/charts/kong/ci/__snapshots__/test2-values.snap +++ b/charts/kong/ci/__snapshots__/test2-values.snap @@ -162,6 +162,18 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + name: chartsnap-postgresql + namespace: default +rules: null +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: labels: app.kubernetes.io/instance: chartsnap @@ -460,6 +472,25 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + name: chartsnap-postgresql + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-postgresql +subjects: + - kind: ServiceAccount + name: default + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: labels: app.kubernetes.io/instance: chartsnap @@ -751,6 +782,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -884,6 +916,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -975,6 +1008,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -1078,6 +1112,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -1087,7 +1122,11 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: @@ -1125,7 +1164,8 @@ spec: apiVersion: apps/v1 kind: StatefulSet metadata: - annotations: null + annotations: + ignore-check.kube-linter.io/no-read-only-root-fs: writable fs is required labels: app.kubernetes.io/component: primary app.kubernetes.io/instance: chartsnap @@ -1245,7 +1285,14 @@ spec: cpu: 250m memory: 256Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true runAsUser: 1001 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /dev/shm name: dshm @@ -1256,6 +1303,9 @@ spec: initContainers: null securityContext: fsGroup: 1001 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: default volumes: - emptyDir: @@ -1390,6 +1440,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -1493,7 +1544,11 @@ spec: - mountPath: /wait_postgres name: chartsnap-kong-bash-wait-for-postgres restartPolicy: OnFailure - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong volumes: - emptyDir: @@ -1741,6 +1796,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -1844,7 +1900,11 @@ spec: - mountPath: /wait_postgres name: chartsnap-kong-bash-wait-for-postgres restartPolicy: OnFailure - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong volumes: - emptyDir: @@ -1996,6 +2056,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -2099,7 +2160,11 @@ spec: - mountPath: /wait_postgres name: chartsnap-kong-bash-wait-for-postgres restartPolicy: OnFailure - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong volumes: - emptyDir: diff --git a/charts/kong/ci/__snapshots__/test3-values.snap b/charts/kong/ci/__snapshots__/test3-values.snap index d24d3968c..f42d25a6b 100644 --- a/charts/kong/ci/__snapshots__/test3-values.snap +++ b/charts/kong/ci/__snapshots__/test3-values.snap @@ -225,6 +225,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -304,6 +305,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -331,7 +333,11 @@ spec: volumeMounts: - mountPath: /opt/tmp name: tmpdir - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/test4-values.snap b/charts/kong/ci/__snapshots__/test4-values.snap index 1bb056c2f..aa29484ea 100644 --- a/charts/kong/ci/__snapshots__/test4-values.snap +++ b/charts/kong/ci/__snapshots__/test4-values.snap @@ -239,6 +239,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -316,6 +317,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -327,7 +329,11 @@ spec: name: chartsnap-kong-tmp - mountPath: /kong_dbless/ name: kong-custom-dbless-config-volume - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/test5-values.snap b/charts/kong/ci/__snapshots__/test5-values.snap index c8ad34bba..27802a64f 100644 --- a/charts/kong/ci/__snapshots__/test5-values.snap +++ b/charts/kong/ci/__snapshots__/test5-values.snap @@ -376,6 +376,18 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + name: chartsnap-postgresql + namespace: default +rules: null +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: labels: app.kubernetes.io/instance: chartsnap @@ -440,6 +452,25 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + name: chartsnap-postgresql + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-postgresql +subjects: + - kind: ServiceAccount + name: default + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: labels: app.kubernetes.io/instance: chartsnap @@ -696,6 +727,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -822,6 +854,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -912,6 +945,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -1001,6 +1035,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -1010,7 +1045,11 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: @@ -1048,7 +1087,8 @@ spec: apiVersion: apps/v1 kind: StatefulSet metadata: - annotations: null + annotations: + ignore-check.kube-linter.io/no-read-only-root-fs: writable fs is required labels: app.kubernetes.io/component: primary app.kubernetes.io/instance: chartsnap @@ -1168,7 +1208,14 @@ spec: cpu: 250m memory: 256Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true runAsUser: 1001 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /dev/shm name: dshm @@ -1179,6 +1226,9 @@ spec: initContainers: null securityContext: fsGroup: 1001 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: default volumes: - emptyDir: @@ -1312,6 +1362,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -1401,7 +1452,11 @@ spec: - mountPath: /wait_postgres name: chartsnap-kong-bash-wait-for-postgres restartPolicy: OnFailure - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong volumes: - emptyDir: @@ -1647,6 +1702,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -1736,7 +1792,11 @@ spec: - mountPath: /wait_postgres name: chartsnap-kong-bash-wait-for-postgres restartPolicy: OnFailure - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong volumes: - emptyDir: @@ -1887,6 +1947,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -1976,7 +2037,11 @@ spec: - mountPath: /wait_postgres name: chartsnap-kong-bash-wait-for-postgres restartPolicy: OnFailure - securityContext: {} + securityContext: + runAsGroup: 1000 + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong volumes: - emptyDir: diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml index 0829fcba6..d58f73ff4 100644 --- a/charts/kong/values.yaml +++ b/charts/kong/values.yaml @@ -720,6 +720,23 @@ postgresql: service: ports: postgresql: "5432" + primary: + annotations: + "ignore-check.kube-linter.io/no-read-only-root-fs": "writable fs is required" + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containerSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + rbac: + create: true # ----------------------------------------------------------------------------- # Configure cert-manager integration @@ -933,19 +950,29 @@ podDisruptionBudget: podSecurityPolicy: enabled: false labels: {} - annotations: {} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' spec: privileged: false fsGroup: - rule: RunAsAny + rule: MustRunAs + ranges: + - min: 1 + max: 65533 runAsUser: - rule: RunAsAny + rule: MustRunAsNonRoot runAsGroup: - rule: RunAsAny + rule: MustRunAs + ranges: + - min: 1 + max: 65535 seLinux: rule: RunAsAny supplementalGroups: - rule: RunAsAny + rule: MustRunAs + ranges: + - min: 1 + max: 65535 volumes: - 'configMap' - 'secret' @@ -963,13 +990,18 @@ podSecurityPolicy: priorityClassName: "" # securityContext for Kong pods. -securityContext: {} +securityContext: + runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: + type: RuntimeDefault # securityContext for containers. containerSecurityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsUser: 1000 + runAsGroup: 1000 runAsNonRoot: true seccompProfile: type: RuntimeDefault