From 89ba4f5e8f2bd6de1938c64078f440ad379a7f4a Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Tue, 21 Dec 2021 13:13:01 +0000 Subject: [PATCH 1/3] Bump golang.org/x/text to v0.3.7 Co-authored-by: Sanskar Jaiswal Signed-off-by: Paulo Gomes --- go.mod | 1 + 1 file changed, 1 insertion(+) diff --git a/go.mod b/go.mod index 124135e2e..5a8f6a687 100644 --- a/go.mod +++ b/go.mod @@ -19,6 +19,7 @@ require ( github.com/yvasiyarov/go-metrics v0.0.0-20150112132944-c25f46c4b940 // indirect github.com/yvasiyarov/gorelic v0.0.7 // indirect github.com/yvasiyarov/newrelic_platform_go v0.0.0-20160601141957-9c099fbc30e9 // indirect + golang.org/x/text v0.3.7 // indirect helm.sh/helm/v3 v3.7.1 k8s.io/api v0.23.1 k8s.io/apiextensions-apiserver v0.23.1 From 3134d10d328a4a9bb0293b6d58a8b141230fe3f8 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Tue, 18 Jan 2022 18:01:37 +0000 Subject: [PATCH 2/3] security: Drop capabilities and enable seccomp Further restricts the SecurityContext that the controller runs under, by enabling the default seccomp profile and dropping all linux capabilities. This was set at container-level to ensure backwards compatibility with use cases in which sidecars are injected into the source-controller pod without setting less restrictive settings. BREAKING CHANGE: The use of new seccomp API requires Kubernetes 1.19. Co-authored-by: Sanskar Jaiswal Signed-off-by: Paulo Gomes --- Dockerfile | 2 +- config/manager/deployment.yaml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 2da7fcb48..059b39be2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,7 +41,7 @@ RUN apk add --no-cache ca-certificates tini COPY --from=builder /workspace/helm-controller /usr/local/bin/ -RUN addgroup -S controller && adduser -S controller -G controller +RUN addgroup -S controller -g 65532 && adduser -D -u 65532 -s /sbin/nologin -S controller -G controller USER controller diff --git a/config/manager/deployment.yaml b/config/manager/deployment.yaml index 0619b9000..841453b06 100644 --- a/config/manager/deployment.yaml +++ b/config/manager/deployment.yaml @@ -25,6 +25,10 @@ spec: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault ports: - containerPort: 8080 name: http-prom From ae3f157533192c48719a5e52d36a6de5e953464a Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Tue, 18 Jan 2022 18:06:47 +0000 Subject: [PATCH 3/3] Enforce runAsNonRoot BREAKING CHANGE: the controller container is now executed under 65534:65534 (userid:groupid). This change may break deployments that hard-coded the user name 'controller' in their PodSecurityPolicy. Signed-off-by: Paulo Gomes --- Dockerfile | 4 +--- config/manager/deployment.yaml | 1 + 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 059b39be2..bbbaf1bc0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,8 +41,6 @@ RUN apk add --no-cache ca-certificates tini COPY --from=builder /workspace/helm-controller /usr/local/bin/ -RUN addgroup -S controller -g 65532 && adduser -D -u 65532 -s /sbin/nologin -S controller -G controller - -USER controller +USER 65534:65534 ENTRYPOINT [ "/sbin/tini", "--", "helm-controller" ] diff --git a/config/manager/deployment.yaml b/config/manager/deployment.yaml index 841453b06..663088dde 100644 --- a/config/manager/deployment.yaml +++ b/config/manager/deployment.yaml @@ -25,6 +25,7 @@ spec: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true + runAsNonRoot: true capabilities: drop: ["ALL"] seccompProfile: