-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apply more restrictive SecurityContext to components #2433
Conversation
@@ -169,17 +172,23 @@ func (c *component) egwBuildAnnotations() map[string]string { | |||
} | |||
|
|||
func (c *component) egwInitContainer() *corev1.Container { | |||
sc := securitycontext.NewRootContext(true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pending validation from @sridhartigera. As the init container is running as root and privileged, can we remove the NET_ADMIN?
02c0944
to
d60302a
Compare
0cbf7b7
to
c53be0f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
c53be0f
to
340fae0
Compare
sc.Capabilities.Add = []corev1.Capability{ | ||
"SETGID", | ||
"SETUID", | ||
"SYS_CHROOT", | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the ES entrypoint script work without SETGID
and SETUID
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really. I believe chroot
needs them.
This changeset add more restrictive SecurityContext to Calico opensource and enterprise components. Least privilege principle is applied to this change. Data plane components are mostly running as root user and application layer compoennts are running as non-root users. `Capabilities` and `SeccompProfile` are also filled with sensible defaults in `SecurityContext`s.
340fae0
to
225298b
Compare
I have tested a standard Calico Enterprise install on the following platforms:
|
This changeset add and update PodSecurityPolicy for open source and enterprise components to match the recent work for SecurityContext in [1]. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in PodSecurityPolicy to match SecurityContext. * Add missing PSPs for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating PodSecurityPolicy manually. * Manage Prometheus operator ClusterRole and ClusterRoleBinding in operator. * use `UsePSP` as the only flag to determine whether we need to render PSPs or not. [1] tigera#2433
This changeset add and update PodSecurityPolicy for open source and enterprise components to match the recent work for SecurityContext in [1]. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in PodSecurityPolicy to match SecurityContext. * Add missing PSPs for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating PodSecurityPolicy manually. * Manage Prometheus operator ClusterRole and ClusterRoleBinding in operator. * use `UsePSP` as the only flag to determine whether we need to render PodSecurityPolicy or not. [1] tigera#2433
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] #2433
When PSP Pod Admission Controller is enabled in a cluster before v1.25, add the PSP PolicyRule for anomaly detection detectors. This is missed in tigera#2433.
When PSP Pod Admission Controller is enabled in a cluster before v1.25, add the PSP PolicyRule for anomaly detection detectors. This is missed in tigera#2433.
When PSP Pod Admission Controller is enabled in a cluster before v1.25, add the PSP PolicyRule for anomaly detection detectors. This is missed in #2433.
When PSP Pod Admission Controller is enabled in a cluster before v1.25, add the PSP PolicyRule for anomaly detection detectors. This is missed in #2433.
Description
This changeset add more restrictive SecurityContext to Calico opensource
and enterprise components. Least privilege principle is applied to this
change.
Data plane components are mostly running as root user and application
layer compoennts are running as non-root users.
Capabilities
andSeccompProfile
are also filled with sensible defaults inSecurityContext
s.For PR author
make gen-files
make gen-versions
For PR reviewers
A note for code reviewers - all pull requests must have the following:
kind/bug
if this is a bugfix.kind/enhancement
if this is a a new feature.enterprise
if this PR applies to Calico Enterprise only.