From f3a3b4434b3367ca7f0475fb0abc980b306cda3d Mon Sep 17 00:00:00 2001 From: Gerald Pape Date: Tue, 16 Apr 2024 15:39:38 +0200 Subject: [PATCH] fix(deploy) increase container security Change default values to run containers with read-only file system and non-root user for both kong and postgres deployments. Signed-off-by: Gerald Pape --- .kube-linter.yaml | 4 -- charts/kong/CHANGELOG.md | 12 ++-- charts/kong/README.md | 4 +- .../admin-api-service-clusterip-values.snap | 6 +- .../custom-entities-rbac-3.2-values.snap | 7 +- .../__snapshots__/custom-labels-values.snap | 7 +- .../kong/ci/__snapshots__/default-values.snap | 7 +- .../enterprise-postgres-basicauth.snap | 6 +- .../enterprise-postgres-openidconnect.snap | 6 +- .../__snapshots__/kong-ingress-1-values.snap | 7 +- .../__snapshots__/kong-ingress-2-values.snap | 7 +- .../__snapshots__/kong-ingress-3-values.snap | 7 +- .../__snapshots__/kong-ingress-4-values.snap | 7 +- .../kong-ingress-5-3.1-rbac-values.snap | 7 +- .../proxy-appprotocol-values.snap | 7 +- .../ci/__snapshots__/service-account.snap | 7 +- .../single-image-default-values.snap | 7 +- .../test-enterprise-version-3.4-values.snap | 6 +- ...est-enterprise-version-3.4.0.0-values.snap | 6 +- .../kong/ci/__snapshots__/test1-values.snap | 7 +- .../kong/ci/__snapshots__/test2-values.snap | 67 +++++++++++++++++-- .../kong/ci/__snapshots__/test3-values.snap | 6 +- .../kong/ci/__snapshots__/test4-values.snap | 6 +- .../kong/ci/__snapshots__/test5-values.snap | 67 +++++++++++++++++-- charts/kong/values.yaml | 42 ++++++++++-- 25 files changed, 276 insertions(+), 46 deletions(-) diff --git a/.kube-linter.yaml b/.kube-linter.yaml index 557af853e..8708288ee 100644 --- a/.kube-linter.yaml +++ b/.kube-linter.yaml @@ -1,8 +1,4 @@ checks: exclude: - # TODO: exclude no rule - # https://github.com/Kong/charts/issues/753 - - "no-read-only-root-fs" - - "run-as-non-root" - "unset-cpu-requirements" - "unset-memory-requirements" diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md index 4fb37540a..8a77154ef 100644 --- a/charts/kong/CHANGELOG.md +++ b/charts/kong/CHANGELOG.md @@ -5,6 +5,8 @@ ### Changes * Added support for ServiceMonitor relabelings allowing labels manipulation before scraping. +* Run containers with read-only file system and non-root user to increase container and pod security. + [#1057](https://github.com/Kong/charts/pull/1057) ### Breaking changes @@ -246,7 +248,7 @@ ## 2.26.5 -### Fixed +### Fixed * Kuma ServiceAccount Token hints and volumes are also available in migrations Pods. @@ -254,19 +256,19 @@ ## 2.26.4 -### Fixed +### Fixed -* updated `admin_api_uri` to `admin_gui_api_url` as per [kong documentation](https://docs.konghq.com/gateway/3.4.x/reference/configuration/#admin_api_uri). +* updated `admin_api_uri` to `admin_gui_api_url` as per [kong documentation](https://docs.konghq.com/gateway/3.4.x/reference/configuration/#admin_api_uri). ## 2.26.3 -### Fixed +### Fixed * Enabled Service and Ingress in Kong Manager for non enterprise users. ## 2.26.2 -### Fixed +### Fixed * Add missing CRD KongConsumerGroup and extend status subresource for CRDs diff --git a/charts/kong/README.md b/charts/kong/README.md index eaaba9ae6..999b46be7 100644 --- a/charts/kong/README.md +++ b/charts/kong/README.md @@ -899,11 +899,11 @@ On the Gateway release side, set either `admin.tls.client.secretName` to the nam | podDisruptionBudget.minAvailable | Represents the number of Pods that must be available (integer or percentage) | | | podSecurityPolicy.enabled | Enable podSecurityPolicy for Kong | `false` | | podSecurityPolicy.labels | Labels to add to podSecurityPolicy for Kong | `{}` | -| podSecurityPolicy.annotations | Annotations to add to podSecurityPolicy for Kong | `{}` | +| podSecurityPolicy.annotations | Annotations to add to podSecurityPolicy for Kong | `{ "seccomp.security.alpha.kubernetes.io/allowedProfileNames": "runtime/default" }` | | podSecurityPolicy.spec | Collection of [PodSecurityPolicy settings](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy) | | | priorityClassName | Set pod scheduling priority class for Kong pods | `""` | | secretVolumes | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]` | -| securityContext | Set the securityContext for Kong Pods | `{}` | +| securityContext | Set the securityContext for Kong Pods | See values.yaml | | containerSecurityContext | Set the securityContext for Containers | See values.yaml | | serviceMonitor.enabled | Create ServiceMonitor for Prometheus Operator | `false` | | serviceMonitor.interval | Scraping interval | `30s` | diff --git a/charts/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap b/charts/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap index b81bd60a9..b3e5ffbbe 100644 --- a/charts/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap +++ b/charts/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap @@ -251,6 +251,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -328,6 +329,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -339,7 +341,9 @@ spec: name: chartsnap-kong-tmp - mountPath: /kong_dbless/ name: kong-custom-dbless-config-volume - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/custom-entities-rbac-3.2-values.snap b/charts/kong/ci/__snapshots__/custom-entities-rbac-3.2-values.snap index 65e6e5e8c..da40bf131 100644 --- a/charts/kong/ci/__snapshots__/custom-entities-rbac-3.2-values.snap +++ b/charts/kong/ci/__snapshots__/custom-entities-rbac-3.2-values.snap @@ -624,6 +624,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -735,6 +736,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -810,6 +812,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -819,7 +822,9 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/custom-labels-values.snap b/charts/kong/ci/__snapshots__/custom-labels-values.snap index f96dea560..a5e2e7157 100644 --- a/charts/kong/ci/__snapshots__/custom-labels-values.snap +++ b/charts/kong/ci/__snapshots__/custom-labels-values.snap @@ -635,6 +635,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -746,6 +747,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -821,6 +823,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -830,7 +833,9 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/default-values.snap b/charts/kong/ci/__snapshots__/default-values.snap index 892257b19..f9a2fcc69 100644 --- a/charts/kong/ci/__snapshots__/default-values.snap +++ b/charts/kong/ci/__snapshots__/default-values.snap @@ -624,6 +624,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -735,6 +736,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -810,6 +812,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -819,7 +822,9 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/enterprise-postgres-basicauth.snap b/charts/kong/ci/__snapshots__/enterprise-postgres-basicauth.snap index 914071a16..427f46d9d 100644 --- a/charts/kong/ci/__snapshots__/enterprise-postgres-basicauth.snap +++ b/charts/kong/ci/__snapshots__/enterprise-postgres-basicauth.snap @@ -289,6 +289,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -379,6 +380,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -388,7 +390,9 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/enterprise-postgres-openidconnect.snap b/charts/kong/ci/__snapshots__/enterprise-postgres-openidconnect.snap index 6faae54a0..52100afb2 100644 --- a/charts/kong/ci/__snapshots__/enterprise-postgres-openidconnect.snap +++ b/charts/kong/ci/__snapshots__/enterprise-postgres-openidconnect.snap @@ -289,6 +289,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -379,6 +380,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -388,7 +390,9 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/kong-ingress-1-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-1-values.snap index 32aca9374..96d437565 100644 --- a/charts/kong/ci/__snapshots__/kong-ingress-1-values.snap +++ b/charts/kong/ci/__snapshots__/kong-ingress-1-values.snap @@ -633,6 +633,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -744,6 +745,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -819,6 +821,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -828,7 +831,9 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/kong-ingress-2-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-2-values.snap index e9a424378..858671f1d 100644 --- a/charts/kong/ci/__snapshots__/kong-ingress-2-values.snap +++ b/charts/kong/ci/__snapshots__/kong-ingress-2-values.snap @@ -633,6 +633,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -744,6 +745,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -819,6 +821,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -828,7 +831,9 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/kong-ingress-3-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-3-values.snap index bcb84dd20..f14f82d01 100644 --- a/charts/kong/ci/__snapshots__/kong-ingress-3-values.snap +++ b/charts/kong/ci/__snapshots__/kong-ingress-3-values.snap @@ -624,6 +624,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -735,6 +736,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -810,6 +812,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -819,7 +822,9 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/kong-ingress-4-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-4-values.snap index d7e110df5..4c427dabe 100644 --- a/charts/kong/ci/__snapshots__/kong-ingress-4-values.snap +++ b/charts/kong/ci/__snapshots__/kong-ingress-4-values.snap @@ -642,6 +642,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -753,6 +754,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -828,6 +830,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -837,7 +840,9 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/kong-ingress-5-3.1-rbac-values.snap b/charts/kong/ci/__snapshots__/kong-ingress-5-3.1-rbac-values.snap index 2c5fa8417..7e6bc6ce4 100644 --- a/charts/kong/ci/__snapshots__/kong-ingress-5-3.1-rbac-values.snap +++ b/charts/kong/ci/__snapshots__/kong-ingress-5-3.1-rbac-values.snap @@ -608,6 +608,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -719,6 +720,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -794,6 +796,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -803,7 +806,9 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/proxy-appprotocol-values.snap b/charts/kong/ci/__snapshots__/proxy-appprotocol-values.snap index 975ff1608..e79acf8f3 100644 --- a/charts/kong/ci/__snapshots__/proxy-appprotocol-values.snap +++ b/charts/kong/ci/__snapshots__/proxy-appprotocol-values.snap @@ -626,6 +626,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -737,6 +738,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -812,6 +814,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -821,7 +824,9 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/service-account.snap b/charts/kong/ci/__snapshots__/service-account.snap index f99d0a470..296df45cd 100644 --- a/charts/kong/ci/__snapshots__/service-account.snap +++ b/charts/kong/ci/__snapshots__/service-account.snap @@ -624,6 +624,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -735,6 +736,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -810,6 +812,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -819,7 +822,9 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: my-kong-sa terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/single-image-default-values.snap b/charts/kong/ci/__snapshots__/single-image-default-values.snap index 0db2fef14..c77f134e7 100644 --- a/charts/kong/ci/__snapshots__/single-image-default-values.snap +++ b/charts/kong/ci/__snapshots__/single-image-default-values.snap @@ -624,6 +624,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -735,6 +736,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -810,6 +812,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -819,7 +822,9 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/test-enterprise-version-3.4-values.snap b/charts/kong/ci/__snapshots__/test-enterprise-version-3.4-values.snap index a4d31cc88..68aeaebc3 100644 --- a/charts/kong/ci/__snapshots__/test-enterprise-version-3.4-values.snap +++ b/charts/kong/ci/__snapshots__/test-enterprise-version-3.4-values.snap @@ -200,6 +200,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -273,6 +274,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -282,7 +284,9 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap b/charts/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap index 8d5cf2e50..88b638cd1 100644 --- a/charts/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap +++ b/charts/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap @@ -198,6 +198,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -269,6 +270,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -278,7 +280,9 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/test1-values.snap b/charts/kong/ci/__snapshots__/test1-values.snap index 449ee1099..e46a7b57a 100644 --- a/charts/kong/ci/__snapshots__/test1-values.snap +++ b/charts/kong/ci/__snapshots__/test1-values.snap @@ -626,6 +626,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -746,6 +747,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -827,6 +829,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -852,7 +855,9 @@ spec: volumeMounts: - mountPath: /tmp/foo name: tmpdir - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/test2-values.snap b/charts/kong/ci/__snapshots__/test2-values.snap index b46cfa5e1..1d92b6a05 100644 --- a/charts/kong/ci/__snapshots__/test2-values.snap +++ b/charts/kong/ci/__snapshots__/test2-values.snap @@ -178,6 +178,18 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + name: chartsnap-postgresql + namespace: default +rules: null +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: labels: app.kubernetes.io/instance: chartsnap @@ -476,6 +488,25 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + name: chartsnap-postgresql + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-postgresql +subjects: + - kind: ServiceAccount + name: default + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: labels: app.kubernetes.io/instance: chartsnap @@ -767,6 +798,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -900,6 +932,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -991,6 +1024,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -1094,6 +1128,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -1103,7 +1138,9 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: @@ -1141,7 +1178,8 @@ spec: apiVersion: apps/v1 kind: StatefulSet metadata: - annotations: null + annotations: + ignore-check.kube-linter.io/no-read-only-root-fs: writable fs is required labels: app.kubernetes.io/component: primary app.kubernetes.io/instance: chartsnap @@ -1261,7 +1299,14 @@ spec: cpu: 250m memory: 256Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true runAsUser: 1001 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /dev/shm name: dshm @@ -1272,6 +1317,9 @@ spec: initContainers: null securityContext: fsGroup: 1001 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: default volumes: - emptyDir: @@ -1406,6 +1454,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -1509,7 +1558,9 @@ spec: - mountPath: /wait_postgres name: chartsnap-kong-bash-wait-for-postgres restartPolicy: OnFailure - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong volumes: - emptyDir: @@ -1808,6 +1859,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -1911,7 +1963,9 @@ spec: - mountPath: /wait_postgres name: chartsnap-kong-bash-wait-for-postgres restartPolicy: OnFailure - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong volumes: - emptyDir: @@ -2063,6 +2117,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -2166,7 +2221,9 @@ spec: - mountPath: /wait_postgres name: chartsnap-kong-bash-wait-for-postgres restartPolicy: OnFailure - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong volumes: - emptyDir: diff --git a/charts/kong/ci/__snapshots__/test3-values.snap b/charts/kong/ci/__snapshots__/test3-values.snap index 0eaf256a8..95bb8dc35 100644 --- a/charts/kong/ci/__snapshots__/test3-values.snap +++ b/charts/kong/ci/__snapshots__/test3-values.snap @@ -225,6 +225,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -304,6 +305,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -331,7 +333,9 @@ spec: volumeMounts: - mountPath: /opt/tmp name: tmpdir - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/test4-values.snap b/charts/kong/ci/__snapshots__/test4-values.snap index d096ffff1..d5b506e7a 100644 --- a/charts/kong/ci/__snapshots__/test4-values.snap +++ b/charts/kong/ci/__snapshots__/test4-values.snap @@ -239,6 +239,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -316,6 +317,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -327,7 +329,9 @@ spec: name: chartsnap-kong-tmp - mountPath: /kong_dbless/ name: kong-custom-dbless-config-volume - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: diff --git a/charts/kong/ci/__snapshots__/test5-values.snap b/charts/kong/ci/__snapshots__/test5-values.snap index 202e91b50..9a5b2fa9e 100644 --- a/charts/kong/ci/__snapshots__/test5-values.snap +++ b/charts/kong/ci/__snapshots__/test5-values.snap @@ -392,6 +392,18 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + name: chartsnap-postgresql + namespace: default +rules: null +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: labels: app.kubernetes.io/instance: chartsnap @@ -456,6 +468,25 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: postgresql + helm.sh/chart: postgresql-11.9.13 + name: chartsnap-postgresql + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-postgresql +subjects: + - kind: ServiceAccount + name: default + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: labels: app.kubernetes.io/instance: chartsnap @@ -712,6 +743,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -838,6 +870,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -928,6 +961,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -1017,6 +1051,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -1026,7 +1061,9 @@ spec: name: chartsnap-kong-prefix-dir - mountPath: /tmp name: chartsnap-kong-tmp - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong terminationGracePeriodSeconds: 30 volumes: @@ -1064,7 +1101,8 @@ spec: apiVersion: apps/v1 kind: StatefulSet metadata: - annotations: null + annotations: + ignore-check.kube-linter.io/no-read-only-root-fs: writable fs is required labels: app.kubernetes.io/component: primary app.kubernetes.io/instance: chartsnap @@ -1184,7 +1222,14 @@ spec: cpu: 250m memory: 256Mi securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true runAsUser: 1001 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /dev/shm name: dshm @@ -1195,6 +1240,9 @@ spec: initContainers: null securityContext: fsGroup: 1001 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: default volumes: - emptyDir: @@ -1328,6 +1376,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -1417,7 +1466,9 @@ spec: - mountPath: /wait_postgres name: chartsnap-kong-bash-wait-for-postgres restartPolicy: OnFailure - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong volumes: - emptyDir: @@ -1714,6 +1765,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -1803,7 +1855,9 @@ spec: - mountPath: /wait_postgres name: chartsnap-kong-bash-wait-for-postgres restartPolicy: OnFailure - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong volumes: - emptyDir: @@ -1954,6 +2008,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 seccompProfile: @@ -2043,7 +2098,9 @@ spec: - mountPath: /wait_postgres name: chartsnap-kong-bash-wait-for-postgres restartPolicy: OnFailure - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: chartsnap-kong volumes: - emptyDir: diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml index 9b079aa57..d705f0e14 100644 --- a/charts/kong/values.yaml +++ b/charts/kong/values.yaml @@ -721,6 +721,23 @@ postgresql: service: ports: postgresql: "5432" + primary: + annotations: + "ignore-check.kube-linter.io/no-read-only-root-fs": "writable fs is required" + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containerSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + rbac: + create: true # ----------------------------------------------------------------------------- # Configure cert-manager integration @@ -934,19 +951,29 @@ podDisruptionBudget: podSecurityPolicy: enabled: false labels: {} - annotations: {} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' spec: privileged: false fsGroup: - rule: RunAsAny + rule: MustRunAs + ranges: + - min: 1 + max: 65533 runAsUser: - rule: RunAsAny + rule: MustRunAsNonRoot runAsGroup: - rule: RunAsAny + rule: MustRunAs + ranges: + - min: 1 + max: 65535 seLinux: rule: RunAsAny supplementalGroups: - rule: RunAsAny + rule: MustRunAs + ranges: + - min: 1 + max: 65535 volumes: - 'configMap' - 'secret' @@ -964,13 +991,16 @@ podSecurityPolicy: priorityClassName: "" # securityContext for Kong pods. -securityContext: {} +securityContext: + seccompProfile: + type: RuntimeDefault # securityContext for containers. containerSecurityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsUser: 1000 + runAsGroup: 1000 runAsNonRoot: true seccompProfile: type: RuntimeDefault