Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

various securityContext-related fixes #42

Merged
merged 7 commits into from
Dec 1, 2024
Merged

various securityContext-related fixes #42

merged 7 commits into from
Dec 1, 2024

Conversation

cjvirtucio87
Copy link
Contributor

@cjvirtucio87 cjvirtucio87 commented Dec 1, 2024
edited
Loading

My cluster enables the Pod Security admission controller, which requires every pod to adhere to pod security standards:

W1201 09:34:55.535139   14754 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "stunner-auth-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "stunner-auth-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "stunner-auth-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "stunner-auth-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

This PR allows chart consumers to set the securityContext of some resources to values that adhere to those standards. The original values are kept as defaults.

@cjvirtucio87 cjvirtucio87 mentioned this pull request Dec 1, 2024
Closed
@cjvirtucio87 cjvirtucio87 changed the title allowing consumer to set securityContext on authService (using original values as default) various securityContext-related fixes Dec 1, 2024
davidkornel
davidkornel reviewed Dec 1, 2024
View reviewed changes
Copy link
Member

@davidkornel davidkornel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi there, thank you for your participation. I left some comments for the auth-service changes.

Unfortunately, the extra field added for the dataplane object is not supported. I am not familiar with the containerSecurityContext field. Isn't the securityContext field enough for your use case? Also, please take a look at what field are supported in the dataplane spec

helm/stunner-gateway-operator/templates/stunner-auth-service.yaml Outdated Show resolved Hide resolved
helm/stunner-gateway-operator/templates/stunner-default-dataplane.yaml Show resolved Hide resolved
davidkornel
davidkornel requested changes Dec 1, 2024
View reviewed changes
Copy link
Member

@davidkornel davidkornel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, see the one comment

@cjvirtucio87
Copy link
Contributor Author

Hi there, thank you for your participation. I left some comments for the auth-service changes.

Unfortunately, the extra field added for the dataplane object is not supported. I am not familiar with the containerSecurityContext field. Isn't the securityContext field enough for your use case? Also, please take a look at what field are supported in the dataplane spec

when the gateway operator detects a change to the dataplane's spec, it iterates through the expected containers and sets the securityContext for each container, using the value of containerSecurityContext from the dataplane spec.

securityContext on the dataplane spec only configures the pod-level securityContext:

% kubectl explain deployment.spec.template.spec.securityContext

...
    SecurityContext holds pod-level security attributes and common container
    settings. Optional: Defaults to empty.  See type description for default
    values of each field.
    PodSecurityContext holds pod-level security attributes and common container
    settings. Some fields are also present in container.securityContext.  Field
    values of container.securityContext take precedence over field values of
    PodSecurityContext.

as opposed to the securityContext for the container:

% kubectl explain deployment.spec.template.spec.containers.securityContext

...

    SecurityContext defines the security options the container should be run
    with. If set, the fields of SecurityContext override the equivalent fields
    of PodSecurityContext. More info:
    https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
    SecurityContext holds security configuration that will be applied to a
    container. Some fields are present in both SecurityContext and
    PodSecurityContext.  When both are set, the values in SecurityContext take
    precedence.

it's not stated in the standards why the container-level securityContext needs to be restricted as opposed to the pod, but I'm guessing it's because it completely avoids the risk of the container one overriding the pod's.

davidkornel
davidkornel approved these changes Dec 1, 2024
View reviewed changes
Copy link
Member

@davidkornel davidkornel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks.

@davidkornel davidkornel merged commit a18fe93 into l7mp:main Dec 1, 2024
2 checks passed
davidkornel added a commit that referenced this pull request Dec 1, 2024
@davidkornel
docs: Add parameters from #40 #41 #42
39d5e8f 
Signed-off-by: Kornel David <[email protected]>
davidkornel added a commit that referenced this pull request Dec 1, 2024
@davidkornel
feat: Artifacthub integration (#44)
72ac8bb 
* feat: Some changes for artifacthub compatibility

Signed-off-by: Kornel David <[email protected]>

* docs: Add generated parameter list to README

Signed-off-by: Kornel David <[email protected]>

* docs: Remove whitespace

Signed-off-by: Kornel David <[email protected]>

* docs: Add intro and install part to the sgw chart readme

Signed-off-by: Kornel David <[email protected]>

* docs: Fix link

Signed-off-by: Kornel David <[email protected]>

* docs: Add parameters from #40 #41 #42

Signed-off-by: Kornel David <[email protected]>

* docs: Add README to the og stunner chart

Signed-off-by: Kornel David <[email protected]>

---------

Signed-off-by: Kornel David <[email protected]>
@cjvirtucio87 cjvirtucio87 deleted the psa-securityContext branch December 2, 2024 19:11
@cjvirtucio87 cjvirtucio87 mentioned this pull request Dec 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidkornel davidkornel davidkornel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cjvirtucio87 @davidkornel