Apply more restrictive SecurityContext to components #2433
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hjiawei
commented
Jan 28, 2023
| @@ -169,17 +172,23 @@ func (c *component) egwBuildAnnotations() map[string]string { | |||
| } | |||
|
|
|||
| func (c *component) egwInitContainer() *corev1.Container { | |||
| sc := securitycontext.NewRootContext(true) | |||
There was a problem hiding this comment.
Pending validation from @sridhartigera. As the init container is running as root and privileged, can we remove the NET_ADMIN?
hjiawei
force-pushed
the
cis-perm-tune
branch
9 times, most recently
from
02c0944
to
d60302a
Compare
hjiawei
force-pushed
the
cis-perm-tune
branch
5 times, most recently
from
0cbf7b7
to
c53be0f
Compare
hjiawei
force-pushed
the
cis-perm-tune
branch
from
c53be0f
to
340fae0
Compare
anthonytwh
reviewed
Feb 2, 2023
Comment on lines
+584
to
+588
| sc.Capabilities.Add = []corev1.Capability{ | ||
| "SETGID", | ||
| "SETUID", | ||
| "SYS_CHROOT", | ||
| } |
There was a problem hiding this comment.
Does the ES entrypoint script work without SETGID and SETUID?
There was a problem hiding this comment.
Not really. I believe chroot needs them.
This changeset add more restrictive SecurityContext to Calico opensource and enterprise components. Least privilege principle is applied to this change. Data plane components are mostly running as root user and application layer compoennts are running as non-root users. `Capabilities` and `SeccompProfile` are also filled with sensible defaults in `SecurityContext`s.
hjiawei
force-pushed
the
cis-perm-tune
branch
from
340fae0
to
225298b
Compare
|
I have tested a standard Calico Enterprise install on the following platforms:
|
5 tasks
hjiawei
added a commit
to hjiawei/operator
that referenced
this pull request
Feb 24, 2023
This changeset add and update PodSecurityPolicy for open source and enterprise components to match the recent work for SecurityContext in [1]. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in PodSecurityPolicy to match SecurityContext. * Add missing PSPs for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating PodSecurityPolicy manually. * Manage Prometheus operator ClusterRole and ClusterRoleBinding in operator. * use `UsePSP` as the only flag to determine whether we need to render PSPs or not. [1] tigera#2433
hjiawei
added a commit
to hjiawei/operator
that referenced
this pull request
Feb 24, 2023
This changeset add and update PodSecurityPolicy for open source and enterprise components to match the recent work for SecurityContext in [1]. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in PodSecurityPolicy to match SecurityContext. * Add missing PSPs for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating PodSecurityPolicy manually. * Manage Prometheus operator ClusterRole and ClusterRoleBinding in operator. * use `UsePSP` as the only flag to determine whether we need to render PodSecurityPolicy or not. [1] tigera#2433
hjiawei
added a commit
to hjiawei/operator
that referenced
this pull request
Feb 24, 2023
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
5 tasks
hjiawei
added a commit
to hjiawei/operator
that referenced
this pull request
Feb 24, 2023
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
hjiawei
added a commit
to hjiawei/operator
that referenced
this pull request
Feb 25, 2023
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
hjiawei
added a commit
to hjiawei/operator
that referenced
this pull request
Feb 27, 2023
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
hjiawei
added a commit
to hjiawei/operator
that referenced
this pull request
Feb 27, 2023
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
hjiawei
added a commit
to hjiawei/operator
that referenced
this pull request
Feb 28, 2023
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
hjiawei
added a commit
to hjiawei/operator
that referenced
this pull request
Mar 1, 2023
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
hjiawei
added a commit
to hjiawei/operator
that referenced
this pull request
Mar 2, 2023
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
hjiawei
added a commit
to hjiawei/operator
that referenced
this pull request
Mar 2, 2023
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
hjiawei
added a commit
to hjiawei/operator
that referenced
this pull request
Mar 2, 2023
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] tigera#2433
5 tasks
rene-dekker
pushed a commit
that referenced
this pull request
Mar 3, 2023
This changeset add and update `PodSecurityPolicy` for open source and enterprise components to match the recent work for SecurityContext in [1]. This is also required for all components to work in a CIS hardened RKE2 cluster. To summarize the changes: * Update Elasticsearch and Fluentd capabilities in `PodSecurityPolicy` to match `SecurityContext`. * Add missing `PodSecurityPolicy` for all enterprise components. Enterprise components like packetcapture, esgateway, l7-log-collector, etc. are able to be deployed without creating `PodSecurityPolicy` manually. * Manage Prometheus operator `ClusterRole` and `ClusterRoleBinding` in operator. * use `UsePSP` as the only flag to determine whether we need to render `PodSecurityPolicy` or not. [1] #2433
hjiawei
added a commit
to hjiawei/operator
that referenced
this pull request
Mar 16, 2023
When PSP Pod Admission Controller is enabled in a cluster before v1.25, add the PSP PolicyRule for anomaly detection detectors. This is missed in tigera#2433.
5 tasks
hjiawei
added a commit
to hjiawei/operator
that referenced
this pull request
Mar 16, 2023
When PSP Pod Admission Controller is enabled in a cluster before v1.25, add the PSP PolicyRule for anomaly detection detectors. This is missed in tigera#2433.
5 tasks
rene-dekker
pushed a commit
that referenced
this pull request
Mar 17, 2023
When PSP Pod Admission Controller is enabled in a cluster before v1.25, add the PSP PolicyRule for anomaly detection detectors. This is missed in #2433.
rene-dekker
pushed a commit
that referenced
this pull request
Mar 17, 2023
When PSP Pod Admission Controller is enabled in a cluster before v1.25, add the PSP PolicyRule for anomaly detection detectors. This is missed in #2433.
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This changeset add more restrictive SecurityContext to Calico opensource
and enterprise components. Least privilege principle is applied to this
change.
Data plane components are mostly running as root user and application
layer compoennts are running as non-root users.
CapabilitiesandSeccompProfileare also filled with sensible defaults inSecurityContexts.For PR author
make gen-filesmake gen-versionsFor PR reviewers
A note for code reviewers - all pull requests must have the following:
kind/bugif this is a bugfix.kind/enhancementif this is a a new feature.enterpriseif this PR applies to Calico Enterprise only.