Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add containerSecurityContext to components #1304

Closed
wants to merge 4 commits into from
Closed

Add containerSecurityContext to components #1304

wants to merge 4 commits into from

Conversation

funkypenguin
Copy link

Hey guys,

This PR attempts to address the issue raised here : #1286

Basically, it's desirable under some circumstances to allow the user to customize .spec.container.securityContext, to meet compliance requirements (such as apply seccomp policy).

An objection raised in #1286 was that allowing custom securityContext could cause breakage, since some of the apps' UIDs are hard-coded in their docker files. To this end, I've avoided changing the pod securityContexts, and focused only on adding the ability to augment the container securityContext.

This means that in the case of core, for example, the following hard-coded securityContext still applies:

      securityContext:
        runAsUser: 10000
        fsGroup: 10000

But a user could pass this in values.yaml:

core:
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - ALL
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault

.. which would greatly improve our compliance / security posture, without impacting the intended effect of the hard-coded pod securityContext.

@funkypenguin
Add containerSecurityContext to components
2cb3192 
Signed-off-by: David Young <davidy@funkypenguin.co.nz>
@funkypenguin
Standardize indentation
ed4d343 
Signed-off-by: David Young <davidy@funkypenguin.co.nz>
@funkypenguin
Explicitly set pod securityContext to runAsNonRoot
efd3b8b 
Signed-off-by: David Young <davidy@funkypenguin.co.nz>
@funkypenguin
Fix indentation / duplication for trivy containerSecurityContext
13c2cda 
Signed-off-by: David Young <davidy@funkypenguin.co.nz>
@avthart
Copy link

avthart commented Mar 29, 2023

Any update on this PR?

We are also interested as we need this for compliance using the pod security standard restricted profile.

@xhejtman
Copy link

Could it be merged? It would resolve also this one: #1472

@msander
Copy link

msander commented Sep 29, 2023

This would be really helpful, otherwise we cannot deploy in an RKE2 Cluster with CIS Mode.

@AkshayRaoSahab
Copy link

Hello, Is it ready to merge ?

@98jan
Copy link

98jan commented Jan 10, 2024

Any update on that issue, would be really appreciated to have this soon.
As restricted profile is needed and right now we implemented it with a kustomize patch, better would be to have it integrated in the helm chart or to make the securityContext configuration configurable through values.yaml

@MinerYang
Copy link
Collaborator

Thanks @funkypenguin
Appreciate of your contributions, we already have a few of PRs to discuss relevant issue to meet several requirements. we will focus triage on this PR #1695.

Will close this PR and please help to review #1695

@MinerYang MinerYang closed this Feb 21, 2024
@MinerYang MinerYang mentioned this pull request Feb 21, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@funkypenguin @avthart @xhejtman @msander @AkshayRaoSahab @98jan @MinerYang