Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop capabilities, enable seccomp and enforce runAsNonRoot #539

Merged
merged 1 commit into from
Jan 20, 2022

Conversation

aryan9600
Copy link
Member

@aryan9600 aryan9600 commented Jan 19, 2022

Further restricts the SecurityContext that the controller runs under, by enabling the default seccomp profile and dropping all linux capabilities.
This was set at container-level to ensure backwards compatibility with use cases in which sidecars are injected into the source-controller pod
without setting less restrictive settings.
Add a uid and gid for the container to enforce runAsNonRoot and ensure
the use of non root users.

BREAKING CHANGES:

  1. The use of new seccomp API requires Kubernetes 1.19.
  2. the controller container is now executed under 65534:65534 (userid:groupid).
    This change may break deployments that hard-coded the user name 'controller' in their PodSecurityPolicy.

Ref: fluxcd/flux2#2014

Signed-off-by: Sanskar Jaiswal sanskar.jaiswal@weave.works
Co-authored-by: Paulo Gomes paulo.gomes@weave.works

Further restricts the SecurityContext that the controller runs under, by enabling the default seccomp profile and dropping all linux capabilities.
This was set at container-level to ensure backwards compatibility with use cases in which sidecars are injected into the source-controller pod
without setting less restrictive settings.
Add a uid and gid for the container to enforce runAsNonRoot and ensure
the use of non root users.

BREAKING CHANGES:
1) The use of new seccomp API requires Kubernetes 1.19.
2) the controller container is now executed under 65534:65534 (userid:groupid).
   This change may break deployments that hard-coded the user name 'controller' in their PodSecurityPolicy.

Signed-off-by: Sanskar Jaiswal <sanskar.jaiswal@weave.works>
Co-authored-by: Paulo Gomes <paulo.gomes@weave.works>
@aryan9600 aryan9600 force-pushed the aryan9600/security-context branch from cd07c14 to c0d5eee Compare January 19, 2022 07:24
@pjbgf
Copy link
Member

pjbgf commented Jan 19, 2022

This was tested on Kubernetes 1.23.1 with restrict "pod security" (below) and it worked as expected.

apiVersion: v1
kind: Namespace
metadata:
  name: flux-system
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: latest

@stefanprodan
Copy link
Member

We need to move the "Required for AWS IAM Role bindings" comment, like in the source-controller PR.

@stefanprodan
Copy link
Member

@pjbgf can you confirm that without runAsNonRoot Kubernetes rejects the kustomize-controller pod? Can you post here the apply error please.

@stefanprodan
Copy link
Member

@aryan9600 please link this PR to its upstream issue.

@pjbgf
Copy link
Member

pjbgf commented Jan 19, 2022

@stefanprodan here's the message when runAsNonRoot is not set to true:
(combined from similar events): Error creating: pods "kustomize-controller-b86cf589b-kg6k5" is forbidden: violates PodSecurity "restricted:latest": runAsNonRoot != true (container "manager" must not set securityContext.runAsNonRoot=false)

@stefanprodan stefanprodan merged commit 12d9fab into fluxcd:main Jan 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants