From dfdf7ffe9fc9388bcb2dbc7b570db1b0bd0e5d24 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Thu, 27 Oct 2022 15:02:33 -0400 Subject: [PATCH 1/5] Add PodSecurityPolicy for Consul API Gateway controller --- ...-gateway-controller-podsecuritypolicy.yaml | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 charts/consul/templates/api-gateway-controller-podsecuritypolicy.yaml diff --git a/charts/consul/templates/api-gateway-controller-podsecuritypolicy.yaml b/charts/consul/templates/api-gateway-controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..390d084303 --- /dev/null +++ b/charts/consul/templates/api-gateway-controller-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} From 5af4a55d03f2c0efef0f3040f0da344536e72c48 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Thu, 27 Oct 2022 15:48:36 -0400 Subject: [PATCH 2/5] Grant Consul API Gateway controller access to new PodSecurityPolicy --- .../templates/api-gateway-controller-clusterrole.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/charts/consul/templates/api-gateway-controller-clusterrole.yaml b/charts/consul/templates/api-gateway-controller-clusterrole.yaml index 0676c6ae4e..f84c5561c2 100644 --- a/charts/consul/templates/api-gateway-controller-clusterrole.yaml +++ b/charts/consul/templates/api-gateway-controller-clusterrole.yaml @@ -244,4 +244,12 @@ rules: - get - patch - update +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-api-gateway-controller + verbs: + - use +{{- end }} {{- end }} From f7c9e8f18b222570f4ebefee2a8480c020a08006 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Fri, 28 Oct 2022 16:49:30 -0400 Subject: [PATCH 3/5] Add unit test coverage for clusterrole + podsecuritypolicy --- .../api-gateway-controller-clusterrole.bats | 12 ++++++++++ ...-gateway-controller-podsecuritypolicy.bats | 22 +++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 charts/consul/test/unit/api-gateway-controller-podsecuritypolicy.bats diff --git a/charts/consul/test/unit/api-gateway-controller-clusterrole.bats b/charts/consul/test/unit/api-gateway-controller-clusterrole.bats index a3edec027d..9be85874ad 100644 --- a/charts/consul/test/unit/api-gateway-controller-clusterrole.bats +++ b/charts/consul/test/unit/api-gateway-controller-clusterrole.bats @@ -19,3 +19,15 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "apiGateway/ClusterRole: uses PodSecurityPolicy with apiGateway.enabled=true and global.enablePodSecurityPolicies=true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/api-gateway-controller-clusterrole.yaml \ + --set 'global.enablePodSecurityPolicies=true' \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=foo' \ + . | tee /dev/stderr | + yq '.rules[] | select(.resourceNames[] == "release-name-consul-api-gateway-controller") | select(.resources[] == "podsecuritypolicies") | length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/charts/consul/test/unit/api-gateway-controller-podsecuritypolicy.bats b/charts/consul/test/unit/api-gateway-controller-podsecuritypolicy.bats new file mode 100644 index 0000000000..dfd40c793f --- /dev/null +++ b/charts/consul/test/unit/api-gateway-controller-podsecuritypolicy.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats + +load _helpers + +@test "apiGateway/PodSecurityPolicy: disabled by default" { + cd `chart_dir` + assert_empty helm template \ + -s templates/api-gateway-controller-podsecuritypolicy.yaml \ + . +} + +@test "apiGateway/PodSecurityPolicy: enabled with apiGateway.enabled=true and global.enablePodSecurityPolicies=true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/api-gateway-controller-podsecuritypolicy.yaml \ + --set 'global.enablePodSecurityPolicies=true' \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=foo' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} From 735e781272127c58b344f25f563ed999139f19ce Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Fri, 28 Oct 2022 17:11:48 -0400 Subject: [PATCH 4/5] Add changelog entry --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 568c7b574d..845090e222 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ IMPROVEMENTS: * Remove deprecated annotation `service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"` in the `server-service` template. [[GH-1619](https://github.com/hashicorp/consul-k8s/pull/1619)] * Support `minAvailable` on connect injector `PodDisruptionBudget`. [[GH-1557](https://github.com/hashicorp/consul-k8s/pull/1557)] * Add `tolerations` and `nodeSelector` to Server ACL init jobs and `nodeSelector` to Webhook cert manager. [[GH-1581](https://github.com/hashicorp/consul-k8s/pull/1581)] + * API Gateway: Create PodSecurityPolicy for controller when `global.enablePodSecurityPolicies=true`. [[GH-1656](https://github.com/hashicorp/consul-k8s/pull/1656)] ## 1.0.0-beta3 (October 12, 2022) From 3196f8466e7bae6c22a775529e6885bf7b89a523 Mon Sep 17 00:00:00 2001 From: Nathan Coleman Date: Mon, 31 Oct 2022 16:44:02 -0400 Subject: [PATCH 5/5] Use YQ@3 friendly select --- .../unit/api-gateway-controller-clusterrole.bats | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/consul/test/unit/api-gateway-controller-clusterrole.bats b/charts/consul/test/unit/api-gateway-controller-clusterrole.bats index 9be85874ad..b69b6ac966 100644 --- a/charts/consul/test/unit/api-gateway-controller-clusterrole.bats +++ b/charts/consul/test/unit/api-gateway-controller-clusterrole.bats @@ -23,11 +23,11 @@ load _helpers @test "apiGateway/ClusterRole: uses PodSecurityPolicy with apiGateway.enabled=true and global.enablePodSecurityPolicies=true" { cd `chart_dir` local actual=$(helm template \ - -s templates/api-gateway-controller-clusterrole.yaml \ - --set 'global.enablePodSecurityPolicies=true' \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq '.rules[] | select(.resourceNames[] == "release-name-consul-api-gateway-controller") | select(.resources[] == "podsecuritypolicies") | length > 0' | tee /dev/stderr) + -s templates/api-gateway-controller-clusterrole.yaml \ + --set 'global.enablePodSecurityPolicies=true' \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=foo' \ + . | tee /dev/stderr | + yq '.rules[] | select((.resourceNames[0] == "release-name-consul-api-gateway-controller") and (.resources[0] == "podsecuritypolicies")) | length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] }