feat: add securityContext for pod and container #357
Conversation
|
any thoughts @slok ? :) |
|
We are also waiting for this to get merged |
|
+1, we are waiting for this too. |
|
Hi @ChrisFraun, thanks for the PR! I will try reviewing this next week, however, I would prefer to not have this as a default, but as an option. I think that most people lean towards not having all this complexity by default. Also, could you add some tests please 🙏 Security is important, but simplicity too, it all depends on the context you are running things :) |
|
I understand! |
|
Here are the tests: https://github.com/slok/sloth/tree/main/deploy/kubernetes/helm/sloth/tests I don't want to derail the PR in another kind of discussion about security philosophy, I just going to say that security adds complexity (always, and at multiple layers), and context matters (people forget about this). If this default doesn't have any side effects, why Kubernetes doesn't set this as a default when not specifying anything? I'm not, the one forcing users to select their pod security if Kubernetes doesn't do it either. Don't get me wrong, I'm not saying security is not important, security it's so important matter that at the moment I would need this kind of security level, I would not be comfortable depending on a random third-party helm chart to control my cluster security, I would use webhooks and/or controllers to have that sorted at a cluster level. |
|
True, we can leave the settings empty as well. For me the most important that the contexts are set correctly for pod and containers respectively. |
|
Not completely sure if I did it right. I ran the test commands |
|
I think that this may help you to have a better feedback loop :) |
|
|
Codecov Report
@@ Coverage Diff @@
## main #357 +/- ##
=======================================
Coverage 75.58% 75.58%
=======================================
Files 17 17
Lines 1491 1491
=======================================
Hits 1127 1127
Misses 286 286
Partials 78 78 Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
There was a problem hiding this comment.
You go it passing finally! Congrats :) Many thanks for the contribution @ChrisFraun.
I see minor things that I could change myself afterward (like test location), so it doesn't make sense to block this PR even more time.
🚀
What: Deployments can have security settings in their manifest on two levels: pod and container. However, there are some capabilities only configurable in one of the respective levels(https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core). This PR sets a default configuration for container securityContext, which drops all POSIX capabilities and denies privilege escalation and for pod securityContext adds user, group fsGroup and supplementalGroups and also denies root usage.
These are and should be standard settings in the context of Kubernetes. It also adds the possibility of running vault-injector in a Kubernetes environment without PSP (to be removed in v1.25 https://kubernetes.io/docs/concepts/security/pod-security-policy/), but with OpenPolicyAgent (possibly the PSP substitute) with the same capabilities as a restricted PSP instead.
This PR sets the respective settings to the values.yaml and is defaulting them as well. With this they can be adopted if it is needed.