From 7cff842173a6fb0fc4f2188f42c879c81d89c33c Mon Sep 17 00:00:00 2001 From: mr-miles Date: Thu, 17 Aug 2023 22:46:43 +0100 Subject: [PATCH 1/7] Add readOnlyRootFilesystem to security context (#2771) * readOnlyRootFilesystem * Add mount for /tmp * Add /tmp mountpoint * Update ingress-gateways-deployment.yaml * Update terminating-gateways-deployment.yaml * Update helm unit tests --- charts/consul/templates/_helpers.tpl | 1 + charts/consul/templates/ingress-gateways-deployment.yaml | 7 +++++++ .../consul/templates/terminating-gateways-deployment.yaml | 7 +++++++ charts/consul/test/unit/server-statefulset.bats | 2 ++ 4 files changed, 17 insertions(+) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 368d4d2f9a..c3d9c36402 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -19,6 +19,7 @@ as well as the global.name setting. {{- if not .Values.global.enablePodSecurityPolicies -}} securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: - ALL diff --git a/charts/consul/templates/ingress-gateways-deployment.yaml b/charts/consul/templates/ingress-gateways-deployment.yaml index 508ab64eff..4c7aa2142c 100644 --- a/charts/consul/templates/ingress-gateways-deployment.yaml +++ b/charts/consul/templates/ingress-gateways-deployment.yaml @@ -160,6 +160,9 @@ spec: terminationGracePeriodSeconds: {{ default $defaults.terminationGracePeriodSeconds .terminationGracePeriodSeconds }} serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} volumes: + - name: tmp + emptyDir: + medium: "Memory" - name: consul-service emptyDir: medium: "Memory" @@ -221,6 +224,8 @@ spec: -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} \ -log-json={{ $root.Values.global.logJSON }} volumeMounts: + - name: tmp + mountPath: /tmp - name: consul-service mountPath: /consul/service {{- if $root.Values.global.tls.enabled }} @@ -245,6 +250,8 @@ spec: resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} {{- end }} volumeMounts: + - name: tmp + mountPath: /tmp - name: consul-service mountPath: /consul/service readOnly: true diff --git a/charts/consul/templates/terminating-gateways-deployment.yaml b/charts/consul/templates/terminating-gateways-deployment.yaml index 9afe938e56..b4a239308a 100644 --- a/charts/consul/templates/terminating-gateways-deployment.yaml +++ b/charts/consul/templates/terminating-gateways-deployment.yaml @@ -129,6 +129,9 @@ spec: terminationGracePeriodSeconds: 10 serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} volumes: + - name: tmp + emptyDir: + medium: "Memory" - name: consul-service emptyDir: medium: "Memory" @@ -206,6 +209,8 @@ spec: -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} \ -log-json={{ $root.Values.global.logJSON }} volumeMounts: + - name: tmp + mountPath: /tmp - name: consul-service mountPath: /consul/service {{- if $root.Values.global.tls.enabled }} @@ -227,6 +232,8 @@ spec: image: {{ $root.Values.global.imageConsulDataplane | quote }} {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} volumeMounts: + - name: tmp + mountPath: /tmp - name: consul-service mountPath: /consul/service readOnly: true diff --git a/charts/consul/test/unit/server-statefulset.bats b/charts/consul/test/unit/server-statefulset.bats index afe946e7b3..7d55518886 100755 --- a/charts/consul/test/unit/server-statefulset.bats +++ b/charts/consul/test/unit/server-statefulset.bats @@ -1385,6 +1385,7 @@ load _helpers "drop": ["ALL"], "add": ["NET_BIND_SERVICE"] }, + "readOnlyRootFilesystem": true, "runAsNonRoot": true, "seccompProfile": { "type": "RuntimeDefault" @@ -1417,6 +1418,7 @@ load _helpers "drop": ["ALL"], "add": ["NET_BIND_SERVICE"] }, + "readOnlyRootFilesystem": true, "runAsNonRoot": true, "seccompProfile": { "type": "RuntimeDefault" From 0fad868753580acc2249f755564fab20b304bc4a Mon Sep 17 00:00:00 2001 From: David Yu Date: Thu, 17 Aug 2023 14:56:43 -0700 Subject: [PATCH 2/7] Create 2781.txt --- .changelog/2781.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/2781.txt diff --git a/.changelog/2781.txt b/.changelog/2781.txt new file mode 100644 index 0000000000..c8db7d0f08 --- /dev/null +++ b/.changelog/2781.txt @@ -0,0 +1,3 @@ +```release-note:improvement +helm: Add readOnlyRootFilesystem to the default restricted security context when runnning `consul-k8s` in a restricted namespaces. +``` From b851b29ea041fb77c7ccee23754fe7970703de34 Mon Sep 17 00:00:00 2001 From: David Yu Date: Thu, 17 Aug 2023 15:01:14 -0700 Subject: [PATCH 3/7] rename changelog file --- .changelog/2781.txt | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 .changelog/2781.txt diff --git a/.changelog/2781.txt b/.changelog/2781.txt deleted file mode 100644 index c8db7d0f08..0000000000 --- a/.changelog/2781.txt +++ /dev/null @@ -1,3 +0,0 @@ -```release-note:improvement -helm: Add readOnlyRootFilesystem to the default restricted security context when runnning `consul-k8s` in a restricted namespaces. -``` From 153dc736b23b6d85941e771ec27a3918a981da02 Mon Sep 17 00:00:00 2001 From: David Yu Date: Thu, 17 Aug 2023 15:01:42 -0700 Subject: [PATCH 4/7] rename changelog file --- .changelog/2789.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/2789.txt diff --git a/.changelog/2789.txt b/.changelog/2789.txt new file mode 100644 index 0000000000..c8db7d0f08 --- /dev/null +++ b/.changelog/2789.txt @@ -0,0 +1,3 @@ +```release-note:improvement +helm: Add readOnlyRootFilesystem to the default restricted security context when runnning `consul-k8s` in a restricted namespaces. +``` From f3cff5bb6a8289c5d1faae3819a653d2b61e347b Mon Sep 17 00:00:00 2001 From: Paul Glass Date: Fri, 18 Aug 2023 10:53:05 -0500 Subject: [PATCH 5/7] Mount /tmp to volume for snapshots --- charts/consul/templates/server-statefulset.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml index 2b25182b96..7e6d5789a9 100644 --- a/charts/consul/templates/server-statefulset.yaml +++ b/charts/consul/templates/server-statefulset.yaml @@ -226,6 +226,8 @@ spec: {{- toYaml .Values.server.securityContext | nindent 8 }} {{- end }} volumes: + - name: tmp + emptyDir: {} - name: config configMap: name: {{ template "consul.fullname" . }}-server-config @@ -562,6 +564,9 @@ spec: mountPath: /trusted-cas readOnly: false {{- end }} + - name: tmp + mountPath: /tmp + readOnly: false ports: {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} - name: http From 9d041550c29873e6d5e5db80a8d8875a7ce38243 Mon Sep 17 00:00:00 2001 From: Sarah Alsmiller Date: Wed, 24 Apr 2024 10:17:43 -0500 Subject: [PATCH 6/7] rename changelog --- .changelog/2789.txt | 3 --- .changelog/2909.txt | 0 2 files changed, 3 deletions(-) delete mode 100644 .changelog/2789.txt create mode 100644 .changelog/2909.txt diff --git a/.changelog/2789.txt b/.changelog/2789.txt deleted file mode 100644 index c8db7d0f08..0000000000 --- a/.changelog/2789.txt +++ /dev/null @@ -1,3 +0,0 @@ -```release-note:improvement -helm: Add readOnlyRootFilesystem to the default restricted security context when runnning `consul-k8s` in a restricted namespaces. -``` diff --git a/.changelog/2909.txt b/.changelog/2909.txt new file mode 100644 index 0000000000..e69de29bb2 From 62c7d28fa6a23c6ccba21ca80dee4fb25c57069f Mon Sep 17 00:00:00 2001 From: Sarah Alsmiller Date: Mon, 29 Apr 2024 14:47:50 -0500 Subject: [PATCH 7/7] changelog --- .changelog/2909.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.changelog/2909.txt b/.changelog/2909.txt index e69de29bb2..cae7f44d45 100644 --- a/.changelog/2909.txt +++ b/.changelog/2909.txt @@ -0,0 +1,3 @@ +```release-note:improvement +helm: Add readOnlyRootFilesystem to the default restricted security context when runnning `consul-k8s` in a restricted namespaces. +``` \ No newline at end of file