From ba322d8e9a087bf59e2dc1923dc08bc5e8447bcf Mon Sep 17 00:00:00 2001 From: Matt Colman Date: Fri, 13 Nov 2020 15:29:17 +0000 Subject: [PATCH] scc changes --- .../templates/serviceaccount-initsysctl.yaml | 15 ----- .../templates/sonarqube-init-scc.yaml | 58 ------------------- charts/sonarqube/templates/sonarqube-scc.yaml | 16 ++--- charts/sonarqube/values.yaml | 5 -- 4 files changed, 6 insertions(+), 88 deletions(-) delete mode 100644 charts/sonarqube/templates/serviceaccount-initsysctl.yaml delete mode 100644 charts/sonarqube/templates/sonarqube-init-scc.yaml diff --git a/charts/sonarqube/templates/serviceaccount-initsysctl.yaml b/charts/sonarqube/templates/serviceaccount-initsysctl.yaml deleted file mode 100644 index 040a129..0000000 --- a/charts/sonarqube/templates/serviceaccount-initsysctl.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.initSysctl.serviceAccount.create -}} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: -{{- if .Values.initSysctl.serviceAccount.name }} - name: {{ .Values.initSysctl.serviceAccount.name }} -{{- else }} - name: {{ include "sonarqube.fullname" . }}-initsysctl -{{- end }} -{{- if .Values.serviceAccount.annotations }} - annotations: -{{ toYaml .Values.serviceAccount.annotations | indent 4 }} -{{- end }} -{{- end -}} diff --git a/charts/sonarqube/templates/sonarqube-init-scc.yaml b/charts/sonarqube/templates/sonarqube-init-scc.yaml deleted file mode 100644 index b8e8997..0000000 --- a/charts/sonarqube/templates/sonarqube-init-scc.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if and (.Values.OpenShift.enabled) (.Values.OpenShift.createSCC) }} -{{- if and (.Values.initSysctl.serviceAccount.create) (not .Values.initSysctl.serviceAccount.name) }} - -# This SCC allows any user ID except root -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - annotations: - kubernetes.io/description: "allows pod to run as root, privileged and run sysctl" - "helm.sh/hook": pre-install - name: {{ .Release.Name }}-initsysctl-privileged-scc -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegedContainer: true -allowPrivilegeEscalation: true -allowedCapabilities: [] -allowedFlexVolumes: [] -allowedUnsafeSysctls: [] -defaultAddCapabilities: [] -defaultAllowPrivilegeEscalation: true -fsGroup: - type: RunAsAny -readOnlyRootFilesystem: false -requiredDropCapabilities: -- KILL -- MKNOD -- SETUID -- SETGID -runAsUser: - type: RunAsAny -# This can be customized for your host machine -seLinuxContext: - type: MustRunAs -# seLinuxOptions: -# level: -# user: -# role: -# type: -supplementalGroups: - type: RunAsAny -# This can be customized for your host machine -volumes: -- configMap -- downwardAPI -- emptyDir -- persistentVolumeClaim -- projected -- secret -# If you want a priority on your SCC -- set for a value more than 0 -priority: 11 -users: -- system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-sonarqube-initsysctl - -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/sonarqube/templates/sonarqube-scc.yaml b/charts/sonarqube/templates/sonarqube-scc.yaml index cb6f6fe..954d20c 100644 --- a/charts/sonarqube/templates/sonarqube-scc.yaml +++ b/charts/sonarqube/templates/sonarqube-scc.yaml @@ -1,29 +1,25 @@ {{- if and (.Values.OpenShift.enabled) (.Values.OpenShift.createSCC) }} -# This SCC allows any user ID except root +# This SCC allows any user ID but restricts capabilties and host access apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: annotations: - kubernetes.io/description: "nonroot provides all features of the restricted SCC - but allows users to run with any non-root UID. The user must specify the UID - or it must be specified on the by the manifest of the container runtime." + kubernetes.io/description: "allows pod to run as root, privileged and run sysctl" "helm.sh/hook": pre-install - name: {{ .Release.Name }}-nonroot-scc + name: {{ .Release.Name }}-privileged-scc allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false -allowPrivilegedContainer: false +allowPrivilegedContainer: true allowPrivilegeEscalation: true allowedCapabilities: [] allowedFlexVolumes: [] allowedUnsafeSysctls: [] defaultAddCapabilities: [] defaultAllowPrivilegeEscalation: true -forbiddenSysctls: - - "*" fsGroup: type: RunAsAny readOnlyRootFilesystem: false @@ -33,7 +29,7 @@ requiredDropCapabilities: - SETUID - SETGID runAsUser: - type: MustRunAsNonRoot + type: RunAsAny # This can be customized for your host machine seLinuxContext: type: MustRunAs @@ -62,4 +58,4 @@ users: {{- end }} - system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-postgresql -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/sonarqube/values.yaml b/charts/sonarqube/values.yaml index 9516f50..e03fe24 100644 --- a/charts/sonarqube/values.yaml +++ b/charts/sonarqube/values.yaml @@ -134,14 +134,9 @@ initSysctl: nofile: 131072 nproc: 8192 # image: busybox:1.32 - serviceAccount: - create: false - # name: securityContext: privileged: true # resources: {} - job: - restartPolicy: OnFailure # List of plugins to install. # For example: