From c55756cf73566316546b3418591120e9e65f9775 Mon Sep 17 00:00:00 2001 From: Peter Razumovsky Date: Tue, 8 Oct 2024 16:56:58 +0400 Subject: [PATCH] core: define empty securityContext for pods to fix CIS 5.7.3 Resolves CIS benchmark rule 5.7.3, Pods part. SecurityContext should be explicitly defined in pod level of Pod spec section. It is sufficient to specify empty securityContext to satisfy CIS 5.7.3 rule. 5.7.3 Apply Security Context to Your Pods and Containers When designing your containers and pods, make sure that you configure the security context for your pods, containers, and volumes. Signed-off-by: Peter Razumovsky (cherry picked from commit 516eab4d8a2cd8d46431aa4d2f8cc2dbe9694aed) --- pkg/operator/ceph/cluster/cleanup.go | 1 + pkg/operator/ceph/cluster/mgr/spec.go | 1 + pkg/operator/ceph/cluster/mon/spec.go | 1 + pkg/operator/ceph/cluster/nodedaemon/crash.go | 1 + pkg/operator/ceph/cluster/nodedaemon/exporter.go | 1 + pkg/operator/ceph/cluster/nodedaemon/pruner.go | 1 + pkg/operator/ceph/cluster/osd/key_rotation.go | 1 + pkg/operator/ceph/cluster/osd/provision_spec.go | 1 + pkg/operator/ceph/cluster/osd/spec.go | 5 +++-- pkg/operator/ceph/cluster/rbd/spec.go | 1 + pkg/operator/ceph/controller/cleanup.go | 1 + .../ceph/csi/template/cephfs/csi-cephfsplugin-holder.yaml | 1 + .../template/cephfs/csi-cephfsplugin-provisioner-dep.yaml | 1 + pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin.yaml | 1 + pkg/operator/ceph/csi/template/nfs/csi-nfsplugin-holder.yaml | 1 + .../ceph/csi/template/nfs/csi-nfsplugin-provisioner-dep.yaml | 1 + pkg/operator/ceph/csi/template/nfs/csi-nfsplugin.yaml | 1 + pkg/operator/ceph/csi/template/rbd/csi-rbdplugin-holder.yaml | 1 + .../ceph/csi/template/rbd/csi-rbdplugin-provisioner-dep.yaml | 1 + pkg/operator/ceph/csi/template/rbd/csi-rbdplugin.yaml | 1 + pkg/operator/ceph/file/mds/spec.go | 1 + pkg/operator/ceph/file/mirror/spec.go | 1 + pkg/operator/ceph/nfs/spec.go | 1 + pkg/operator/ceph/object/cosi/spec.go | 1 + pkg/operator/ceph/object/spec.go | 1 + pkg/operator/discover/discover.go | 1 + pkg/operator/k8sutil/cmdreporter/cmdreporter.go | 1 + 27 files changed, 29 insertions(+), 2 deletions(-) diff --git a/pkg/operator/ceph/cluster/cleanup.go b/pkg/operator/ceph/cluster/cleanup.go index eb50d1a3354d..9f7c2e0ef833 100644 --- a/pkg/operator/ceph/cluster/cleanup.go +++ b/pkg/operator/ceph/cluster/cleanup.go @@ -162,6 +162,7 @@ func (c *ClusterController) cleanUpJobTemplateSpec(cluster *cephv1.CephCluster, Volumes: volumes, RestartPolicy: v1.RestartPolicyOnFailure, PriorityClassName: cephv1.GetCleanupPriorityClassName(cluster.Spec.PriorityClassNames), + SecurityContext: &v1.PodSecurityContext{}, ServiceAccountName: k8sutil.DefaultServiceAccount, HostNetwork: opcontroller.EnforceHostNetwork(), }, diff --git a/pkg/operator/ceph/cluster/mgr/spec.go b/pkg/operator/ceph/cluster/mgr/spec.go index 1c38893d0789..bc8adf10c77e 100644 --- a/pkg/operator/ceph/cluster/mgr/spec.go +++ b/pkg/operator/ceph/cluster/mgr/spec.go @@ -61,6 +61,7 @@ func (c *Cluster) makeDeployment(mgrConfig *mgrConfig) (*apps.Deployment, error) Containers: []v1.Container{ c.makeMgrDaemonContainer(mgrConfig), }, + SecurityContext: &v1.PodSecurityContext{}, ServiceAccountName: serviceAccountName, RestartPolicy: v1.RestartPolicyAlways, Volumes: volumes, diff --git a/pkg/operator/ceph/cluster/mon/spec.go b/pkg/operator/ceph/cluster/mon/spec.go index 8901f26bd919..161d77e20c17 100644 --- a/pkg/operator/ceph/cluster/mon/spec.go +++ b/pkg/operator/ceph/cluster/mon/spec.go @@ -190,6 +190,7 @@ func (c *Cluster) makeMonPod(monConfig *monConfig, canary bool) (*corev1.Pod, er Volumes: controller.DaemonVolumesBase(monConfig.DataPathMap, keyringStoreName, c.spec.DataDirHostPath), HostNetwork: monConfig.UseHostNetwork, PriorityClassName: cephv1.GetMonPriorityClassName(c.spec.PriorityClassNames), + SecurityContext: &corev1.PodSecurityContext{}, ServiceAccountName: k8sutil.DefaultServiceAccount, } diff --git a/pkg/operator/ceph/cluster/nodedaemon/crash.go b/pkg/operator/ceph/cluster/nodedaemon/crash.go index 87ed94fb7ee8..9f3eb43bccfb 100644 --- a/pkg/operator/ceph/cluster/nodedaemon/crash.go +++ b/pkg/operator/ceph/cluster/nodedaemon/crash.go @@ -121,6 +121,7 @@ func (r *ReconcileNode) createOrUpdateCephCrash(node corev1.Node, tolerations [] HostNetwork: cephCluster.Spec.Network.IsHost(), Volumes: volumes, PriorityClassName: cephv1.GetCrashCollectorPriorityClassName(cephCluster.Spec.PriorityClassNames), + SecurityContext: &corev1.PodSecurityContext{}, ServiceAccountName: k8sutil.DefaultServiceAccount, }, } diff --git a/pkg/operator/ceph/cluster/nodedaemon/exporter.go b/pkg/operator/ceph/cluster/nodedaemon/exporter.go index ab4debc27ef1..4c30320ce385 100644 --- a/pkg/operator/ceph/cluster/nodedaemon/exporter.go +++ b/pkg/operator/ceph/cluster/nodedaemon/exporter.go @@ -144,6 +144,7 @@ func (r *ReconcileNode) createOrUpdateCephExporter(node corev1.Node, tolerations Volumes: volumes, PriorityClassName: cephv1.GetCephExporterPriorityClassName(cephCluster.Spec.PriorityClassNames), TerminationGracePeriodSeconds: &terminationGracePeriodSeconds, + SecurityContext: &corev1.PodSecurityContext{}, ServiceAccountName: k8sutil.DefaultServiceAccount, }, } diff --git a/pkg/operator/ceph/cluster/nodedaemon/pruner.go b/pkg/operator/ceph/cluster/nodedaemon/pruner.go index bb8e3966bf92..1f6951690ad0 100644 --- a/pkg/operator/ceph/cluster/nodedaemon/pruner.go +++ b/pkg/operator/ceph/cluster/nodedaemon/pruner.go @@ -110,6 +110,7 @@ func (r *ReconcileNode) createOrUpdateCephCron(cephCluster cephv1.CephCluster, c RestartPolicy: corev1.RestartPolicyNever, HostNetwork: cephCluster.Spec.Network.IsHost(), Volumes: volumes, + SecurityContext: &corev1.PodSecurityContext{}, ServiceAccountName: k8sutil.DefaultServiceAccount, }, } diff --git a/pkg/operator/ceph/cluster/osd/key_rotation.go b/pkg/operator/ceph/cluster/osd/key_rotation.go index f9a427100d9d..6401a8eb4b7d 100644 --- a/pkg/operator/ceph/cluster/osd/key_rotation.go +++ b/pkg/operator/ceph/cluster/osd/key_rotation.go @@ -161,6 +161,7 @@ func (c *Cluster) getKeyRotationPodTemplateSpec(osdProps osdProperties, osd OSDI HostNetwork: c.spec.Network.IsHost(), PriorityClassName: cephv1.GetOSDPriorityClassName(c.spec.PriorityClassNames), SchedulerName: osdProps.schedulerName, + SecurityContext: &v1.PodSecurityContext{}, }, } if c.spec.Network.IsHost() { diff --git a/pkg/operator/ceph/cluster/osd/provision_spec.go b/pkg/operator/ceph/cluster/osd/provision_spec.go index 4839ea6a230b..48147c486c7f 100644 --- a/pkg/operator/ceph/cluster/osd/provision_spec.go +++ b/pkg/operator/ceph/cluster/osd/provision_spec.go @@ -158,6 +158,7 @@ func (c *Cluster) provisionPodTemplateSpec(osdProps osdProperties, restart v1.Re HostNetwork: opcontroller.EnforceHostNetwork(), PriorityClassName: cephv1.GetOSDPriorityClassName(c.spec.PriorityClassNames), SchedulerName: osdProps.schedulerName, + SecurityContext: &v1.PodSecurityContext{}, } if c.spec.Network.IsHost() { podSpec.DNSPolicy = v1.DNSClusterFirstWithHostNet diff --git a/pkg/operator/ceph/cluster/osd/spec.go b/pkg/operator/ceph/cluster/osd/spec.go index 33477cdbf88b..5e55b775aad3 100644 --- a/pkg/operator/ceph/cluster/osd/spec.go +++ b/pkg/operator/ceph/cluster/osd/spec.go @@ -656,8 +656,9 @@ func (c *Cluster) makeDeployment(osdProps osdProperties, osd *OSDInfo, provision WorkingDir: opconfig.VarLogCephDir, }, }, - Volumes: volumes, - SchedulerName: osdProps.schedulerName, + Volumes: volumes, + SecurityContext: &v1.PodSecurityContext{}, + SchedulerName: osdProps.schedulerName, }, } diff --git a/pkg/operator/ceph/cluster/rbd/spec.go b/pkg/operator/ceph/cluster/rbd/spec.go index dd627232b2f1..e37fe79f5ba5 100644 --- a/pkg/operator/ceph/cluster/rbd/spec.go +++ b/pkg/operator/ceph/cluster/rbd/spec.go @@ -43,6 +43,7 @@ func (r *ReconcileCephRBDMirror) makeDeployment(daemonConfig *daemonConfig, rbdM Volumes: controller.DaemonVolumes(daemonConfig.DataPathMap, daemonConfig.ResourceName, r.cephClusterSpec.DataDirHostPath), HostNetwork: r.cephClusterSpec.Network.IsHost(), PriorityClassName: rbdMirror.Spec.PriorityClassName, + SecurityContext: &v1.PodSecurityContext{}, ServiceAccountName: k8sutil.DefaultServiceAccount, }, } diff --git a/pkg/operator/ceph/controller/cleanup.go b/pkg/operator/ceph/controller/cleanup.go index 99a4a60efd71..739cce905cfa 100644 --- a/pkg/operator/ceph/controller/cleanup.go +++ b/pkg/operator/ceph/controller/cleanup.go @@ -129,6 +129,7 @@ func (c *ResourceCleanup) jobTemplateSpec() v1.PodTemplateSpec { Volumes: volumes, RestartPolicy: v1.RestartPolicyOnFailure, PriorityClassName: cephv1.GetCleanupPriorityClassName(c.cluster.Spec.PriorityClassNames), + SecurityContext: &v1.PodSecurityContext{}, ServiceAccountName: k8sutil.DefaultServiceAccount, }, } diff --git a/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin-holder.yaml b/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin-holder.yaml index 911536032c84..f29659b298d7 100644 --- a/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin-holder.yaml +++ b/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin-holder.yaml @@ -29,6 +29,7 @@ spec: spec: # HostPID is needed to expose the correct process ID network namespace and not the process namespace hostPID: true + securityContext: {} serviceAccountName: rook-csi-cephfs-plugin-sa {{ if .PluginPriorityClassName }} priorityClassName: {{ .PluginPriorityClassName }} diff --git a/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin-provisioner-dep.yaml b/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin-provisioner-dep.yaml index 54bf92cd17f8..d78fc1cbe890 100644 --- a/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin-provisioner-dep.yaml +++ b/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin-provisioner-dep.yaml @@ -17,6 +17,7 @@ spec: {{ $key }}: "{{ $value }}" {{ end }} spec: + securityContext: {} serviceAccountName: rook-csi-cephfs-provisioner-sa {{ if .ProvisionerPriorityClassName }} priorityClassName: {{ .ProvisionerPriorityClassName }} diff --git a/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin.yaml b/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin.yaml index 5ce364cd7256..bd4bac53cb29 100644 --- a/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin.yaml +++ b/pkg/operator/ceph/csi/template/cephfs/csi-cephfsplugin.yaml @@ -22,6 +22,7 @@ spec: {{ $key }}: "{{ $value }}" {{ end }} spec: + securityContext: {} serviceAccountName: rook-csi-cephfs-plugin-sa hostNetwork: {{ .EnableCSIHostNetwork }} {{ if .PluginPriorityClassName }} diff --git a/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin-holder.yaml b/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin-holder.yaml index 2a4c64cf803b..240d4b6b5dbb 100644 --- a/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin-holder.yaml +++ b/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin-holder.yaml @@ -29,6 +29,7 @@ spec: spec: # HostPID is needed to expose the correct process ID network namespace and not the process namespace hostPID: true + securityContext: {} serviceAccountName: rook-csi-nfs-plugin-sa {{ if .PluginPriorityClassName }} priorityClassName: {{ .PluginPriorityClassName }} diff --git a/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin-provisioner-dep.yaml b/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin-provisioner-dep.yaml index 7fad6f7bf258..9411546f2b0c 100644 --- a/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin-provisioner-dep.yaml +++ b/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin-provisioner-dep.yaml @@ -16,6 +16,7 @@ spec: {{ $key }}: "{{ $value }}" {{ end }} spec: + securityContext: {} serviceAccountName: rook-csi-nfs-provisioner-sa {{ if .ProvisionerPriorityClassName }} priorityClassName: {{ .ProvisionerPriorityClassName }} diff --git a/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin.yaml b/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin.yaml index 67d2a93ca2f5..a0d16acf6ea9 100644 --- a/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin.yaml +++ b/pkg/operator/ceph/csi/template/nfs/csi-nfsplugin.yaml @@ -17,6 +17,7 @@ spec: {{ $key }}: "{{ $value }}" {{ end }} spec: + securityContext: {} serviceAccountName: rook-csi-nfs-plugin-sa hostNetwork: {{ .EnableCSIHostNetwork }} {{ if .PluginPriorityClassName }} diff --git a/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin-holder.yaml b/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin-holder.yaml index 6191b9729116..c8f11c5cc247 100644 --- a/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin-holder.yaml +++ b/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin-holder.yaml @@ -29,6 +29,7 @@ spec: spec: # HostPID is needed to expose the correct process ID network namespace and not the process namespace hostPID: true + securityContext: {} serviceAccountName: rook-csi-rbd-plugin-sa {{ if .PluginPriorityClassName }} priorityClassName: {{ .PluginPriorityClassName }} diff --git a/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin-provisioner-dep.yaml b/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin-provisioner-dep.yaml index 5f8b23974a3e..741b362b9da0 100644 --- a/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin-provisioner-dep.yaml +++ b/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin-provisioner-dep.yaml @@ -17,6 +17,7 @@ spec: {{ $key }}: "{{ $value }}" {{ end }} spec: + securityContext: {} serviceAccountName: rook-csi-rbd-provisioner-sa {{ if .ProvisionerPriorityClassName }} priorityClassName: {{ .ProvisionerPriorityClassName }} diff --git a/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin.yaml b/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin.yaml index 93f93be4bbb0..fb0a3fca5d9a 100644 --- a/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin.yaml +++ b/pkg/operator/ceph/csi/template/rbd/csi-rbdplugin.yaml @@ -22,6 +22,7 @@ spec: {{ $key }}: "{{ $value }}" {{ end }} spec: + securityContext: {} serviceAccountName: rook-csi-rbd-plugin-sa {{ if .PluginPriorityClassName }} priorityClassName: {{ .PluginPriorityClassName }} diff --git a/pkg/operator/ceph/file/mds/spec.go b/pkg/operator/ceph/file/mds/spec.go index 31065deef622..2fe5cceac4c6 100644 --- a/pkg/operator/ceph/file/mds/spec.go +++ b/pkg/operator/ceph/file/mds/spec.go @@ -65,6 +65,7 @@ func (c *Cluster) makeDeployment(mdsConfig *mdsConfig, fsNamespacedname types.Na Volumes: controller.DaemonVolumes(mdsConfig.DataPathMap, mdsConfig.ResourceName, c.clusterSpec.DataDirHostPath), HostNetwork: c.clusterSpec.Network.IsHost(), PriorityClassName: c.fs.Spec.MetadataServer.PriorityClassName, + SecurityContext: &v1.PodSecurityContext{}, ServiceAccountName: k8sutil.DefaultServiceAccount, }, } diff --git a/pkg/operator/ceph/file/mirror/spec.go b/pkg/operator/ceph/file/mirror/spec.go index d13d1848bec9..38321411534e 100644 --- a/pkg/operator/ceph/file/mirror/spec.go +++ b/pkg/operator/ceph/file/mirror/spec.go @@ -46,6 +46,7 @@ func (r *ReconcileFilesystemMirror) makeDeployment(daemonConfig *daemonConfig, f Volumes: controller.DaemonVolumes(daemonConfig.DataPathMap, daemonConfig.ResourceName, r.cephClusterSpec.DataDirHostPath), HostNetwork: r.cephClusterSpec.Network.IsHost(), PriorityClassName: fsMirror.Spec.PriorityClassName, + SecurityContext: &v1.PodSecurityContext{}, ServiceAccountName: k8sutil.DefaultServiceAccount, }, } diff --git a/pkg/operator/ceph/nfs/spec.go b/pkg/operator/ceph/nfs/spec.go index 5834acf5c781..e5d9fb1a0247 100644 --- a/pkg/operator/ceph/nfs/spec.go +++ b/pkg/operator/ceph/nfs/spec.go @@ -149,6 +149,7 @@ func (r *ReconcileCephNFS) makeDeployment(nfs *cephv1.CephNFS, cfg daemonConfig) // connecting to the krb server. give all ganesha servers the same hostname so they can all // use the same krb credentials to auth Hostname: fmt.Sprintf("%s-%s", nfs.Namespace, nfs.Name), + SecurityContext: &v1.PodSecurityContext{}, ServiceAccountName: k8sutil.DefaultServiceAccount, } // Replace default unreachable node toleration diff --git a/pkg/operator/ceph/object/cosi/spec.go b/pkg/operator/ceph/object/cosi/spec.go index f0cc0a5a990e..141db46e40a8 100644 --- a/pkg/operator/ceph/object/cosi/spec.go +++ b/pkg/operator/ceph/object/cosi/spec.go @@ -88,6 +88,7 @@ func createCOSIPodSpec(cephCOSIDriver *cephv1.CephCOSIDriver) (corev1.PodTemplat cosiDriverContainer, cosiSideCarContainer, }, + SecurityContext: &corev1.PodSecurityContext{}, ServiceAccountName: DefaultServiceAccountName, Volumes: []corev1.Volume{ {Name: cosiSocketVolumeName, VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}}}, diff --git a/pkg/operator/ceph/object/spec.go b/pkg/operator/ceph/object/spec.go index b72910fb9b55..1d683807ab67 100644 --- a/pkg/operator/ceph/object/spec.go +++ b/pkg/operator/ceph/object/spec.go @@ -153,6 +153,7 @@ func (c *clusterConfig) makeRGWPodSpec(rgwConfig *rgwConfig) (v1.PodTemplateSpec ), HostNetwork: hostNetwork, PriorityClassName: c.store.Spec.Gateway.PriorityClassName, + SecurityContext: &v1.PodSecurityContext{}, ServiceAccountName: serviceAccountName, } diff --git a/pkg/operator/discover/discover.go b/pkg/operator/discover/discover.go index b895badd7e84..5b73b8cc0f72 100644 --- a/pkg/operator/discover/discover.go +++ b/pkg/operator/discover/discover.go @@ -177,6 +177,7 @@ func (d *Discover) createDiscoverDaemonSet(ctx context.Context, namespace, disco }, HostNetwork: opcontroller.EnforceHostNetwork(), PriorityClassName: k8sutil.GetValue(data, discoverDaemonsetPriorityClassNameEnv, ""), + SecurityContext: &v1.PodSecurityContext{}, }, }, }, diff --git a/pkg/operator/k8sutil/cmdreporter/cmdreporter.go b/pkg/operator/k8sutil/cmdreporter/cmdreporter.go index b651def6d24a..3de895d3a87a 100644 --- a/pkg/operator/k8sutil/cmdreporter/cmdreporter.go +++ b/pkg/operator/k8sutil/cmdreporter/cmdreporter.go @@ -302,6 +302,7 @@ func (cr *cmdReporterCfg) initJobSpec() (*batch.Job, error) { *cmdReporterContainer, }, RestartPolicy: v1.RestartPolicyOnFailure, + SecurityContext: &v1.PodSecurityContext{}, ServiceAccountName: k8sutil.DefaultServiceAccount, HostNetwork: cephv1.EnforceHostNetwork(), }