Implement Security Context for Divingbell

Change-Id: Ibc93ccac6d6015faff3491211f5f8cb752a0328f
2020-02-14 12:00:26 -06:00 · 2020-02-14 12:00:26 -06:00 · 30200a54d9
commit 30200a54d9
parent 32da2fbd4b
9 changed files with 90 additions and 18 deletions
--- a/divingbell/templates/daemonset-apparmor.yaml
+++ b/divingbell/templates/daemonset-apparmor.yaml
@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "divingbell-apparmor" "containerNames" (list "apparmor") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      hostNetwork: true
      hostPID: true
      hostIPC: true
@ -47,20 +48,21 @@ spec:
        image: {{ .Values.images.divingbell }}
        imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.apparmor | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
+{{ dict "envAll" $envAll "application" "divingbell" "container" "apparmor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
        command:
        - /tmp/{{ $daemonset }}.sh
        volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
        - name: rootfs-{{ $daemonset }}
          mountPath: {{ .Values.conf.chroot_mnt_path }}
        - name: {{ $secretName }}
          mountPath: /tmp/{{ $daemonset }}.sh
          subPath: {{ $daemonset }}
          readOnly: true
-        securityContext:
-          capabilities:
-            add:
-              - 'MAC_ADMIN'
      volumes:
+      - name: pod-tmp
+        emptyDir: {}
      - name: rootfs-{{ $daemonset }}
        hostPath:
          path: /
--- a/divingbell/templates/daemonset-apt.yaml
+++ b/divingbell/templates/daemonset-apt.yaml
@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "divingbell-apt" "containerNames" (list "apt") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      hostNetwork: true
      hostPID: true
      hostIPC: true
@ -47,18 +48,21 @@ spec:
        image: {{ .Values.images.divingbell }}
        imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.apt | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
+{{ dict "envAll" $envAll "application" "divingbell" "container" "apt" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
        command:
        - /tmp/{{ $daemonset }}.sh
        volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
        - name: rootfs-{{ $daemonset }}
          mountPath: {{ .Values.conf.chroot_mnt_path }}
        - name: {{ $secretName }}
          mountPath: /tmp/{{ $daemonset }}.sh
          subPath: {{ $daemonset }}
          readOnly: true
-        securityContext:
-          privileged: true
      volumes:
+      - name: pod-tmp
+        emptyDir: {}
      - name: rootfs-{{ $daemonset }}
        hostPath:
          path: /
--- a/divingbell/templates/daemonset-ethtool.yaml
+++ b/divingbell/templates/daemonset-ethtool.yaml
@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "divingbell-ethtool" "containerNames" (list "ethtool") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      hostNetwork: true
      hostPID: true
      hostIPC: true
@ -47,20 +48,21 @@ spec:
        image: {{ .Values.images.divingbell }}
        imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.ethtool | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
+{{ dict "envAll" $envAll "application" "divingbell" "container" "ethtool" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
        command:
        - /tmp/{{ $daemonset }}.sh
        volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
        - name: rootfs-{{ $daemonset }}
          mountPath: {{ .Values.conf.chroot_mnt_path }}
        - name: {{ $secretName }}
          mountPath: /tmp/{{ $daemonset }}.sh
          subPath: {{ $daemonset }}
          readOnly: true
-        securityContext:
-          capabilities:
-            add:
-              - 'NET_ADMIN'
      volumes:
+      - name: pod-tmp
+        emptyDir: {}
      - name: rootfs-{{ $daemonset }}
        hostPath:
          path: /
--- a/divingbell/templates/daemonset-exec.yaml
+++ b/divingbell/templates/daemonset-exec.yaml
@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "divingbell-exec" "containerNames" (list "exec") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      hostNetwork: true
      hostPID: true
      hostIPC: true
@ -47,18 +48,21 @@ spec:
        image: {{ .Values.images.divingbell }}
        imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.exec | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
+{{ dict "envAll" $envAll "application" "divingbell" "container" "exec" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
        command:
        - /tmp/{{ $daemonset }}.sh
        volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
        - name: rootfs-{{ $daemonset }}
          mountPath: {{ .Values.conf.chroot_mnt_path }}
        - name: {{ $secretName }}
          mountPath: /tmp/{{ $daemonset }}.sh
          subPath: {{ $daemonset }}
          readOnly: true
-        securityContext:
-          privileged: true
      volumes:
+      - name: pod-tmp
+        emptyDir: {}
      - name: rootfs-{{ $daemonset }}
        hostPath:
          path: /
--- a/divingbell/templates/daemonset-limits.yaml
+++ b/divingbell/templates/daemonset-limits.yaml
@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "divingbell-limits" "containerNames" (list "limits") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      hostNetwork: true
      hostPID: true
      hostIPC: true
@ -47,9 +48,12 @@ spec:
        image: {{ .Values.images.divingbell }}
        imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.limits | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
+{{ dict "envAll" $envAll "application" "divingbell" "container" "limits" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
        command:
        - /tmp/{{ $daemonset }}.sh
        volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
        - name: rootfs-{{ $daemonset }}
          mountPath: {{ .Values.conf.chroot_mnt_path }}
        - name: {{ $secretName }}
@ -57,6 +61,8 @@ spec:
          subPath: {{ $daemonset }}
          readOnly: true
      volumes:
+      - name: pod-tmp
+        emptyDir: {}
      - name: rootfs-{{ $daemonset }}
        hostPath:
          path: /
--- a/divingbell/templates/daemonset-mounts.yaml
+++ b/divingbell/templates/daemonset-mounts.yaml
@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "divingbell-mounts" "containerNames" (list "mounts") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      hostNetwork: true
      hostPID: true
      hostIPC: true
@ -47,9 +48,12 @@ spec:
        image: {{ .Values.images.divingbell }}
        imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.mounts | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
+{{ dict "envAll" $envAll "application" "divingbell" "container" "mounts" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
        command:
        - /tmp/{{ $daemonset }}.sh
        volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
        - name: rootfs-{{ $daemonset }}
          mountPath: {{ .Values.conf.chroot_mnt_path }}
        - name: {{ $secretName }}
@ -57,6 +61,8 @@ spec:
          subPath: {{ $daemonset }}
          readOnly: true
      volumes:
+      - name: pod-tmp
+        emptyDir: {}
      - name: rootfs-{{ $daemonset }}
        hostPath:
          path: /
--- a/divingbell/templates/daemonset-perm.yaml
+++ b/divingbell/templates/daemonset-perm.yaml
@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "divingbell-perm" "containerNames" (list "perm") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      hostNetwork: true
      hostPID: true
      hostIPC: true
@ -47,9 +48,12 @@ spec:
        image: {{ .Values.images.divingbell }}
        imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.perm | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
+{{ dict "envAll" $envAll "application" "divingbell" "container" "perm" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
        command:
        - /tmp/{{ $daemonset }}.sh
        volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
        - name: rootfs-{{ $daemonset }}
          mountPath: {{ .Values.conf.chroot_mnt_path }}
        - name: {{ $secretName }}
@ -57,6 +61,8 @@ spec:
          subPath: {{ $daemonset }}
          readOnly: true
      volumes:
+      - name: pod-tmp
+        emptyDir: {}
      - name: rootfs-{{ $daemonset }}
        hostPath:
          path: /
--- a/divingbell/templates/daemonset-sysctl.yaml
+++ b/divingbell/templates/daemonset-sysctl.yaml
@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "divingbell-sysctl" "containerNames" (list "sysctl") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      hostNetwork: true
      hostPID: true
      hostIPC: true
@ -47,22 +48,21 @@ spec:
        image: {{ .Values.images.divingbell }}
        imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.sysctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
+{{ dict "envAll" $envAll "application" "divingbell" "container" "sysctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
        command:
        - /tmp/{{ $daemonset }}.sh
        volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
        - name: rootfs-{{ $daemonset }}
          mountPath: {{ .Values.conf.chroot_mnt_path }}
        - name: {{ $secretName }}
          mountPath: /tmp/{{ $daemonset }}.sh
          subPath: {{ $daemonset }}
          readOnly: true
-        securityContext:
-          capabilities:
-            add:
-              - 'SYS_PTRACE'
-              - 'SYS_ADMIN'
-              - 'SYS_RAWIO'
      volumes:
+      - name: pod-tmp
+        emptyDir: {}
      - name: rootfs-{{ $daemonset }}
        hostPath:
          path: /
--- a/divingbell/values.yaml
+++ b/divingbell/values.yaml
@ -116,6 +116,48 @@ pod:
      sysctl: runtime/default
    divingbell-uamlite:
      uamlite: runtime/default
+  security_context:
+    divingbell:
+      pod:
+        runAsUser: 65534
+      container:
+        apt:
+          readOnlyRootFilesystem: true
+          runAsUser: 0
+          privileged: true
+        apparmor:
+          capabilities:
+            add:
+              - 'MAC_ADMIN'
+          readOnlyRootFilesystem: true
+          runAsUser : 0
+        ethtool:
+          capabilities:
+            add:
+              - 'NET_ADMIN'
+          readOnlyRootFilesystem: true
+          runAsUser : 0
+        exec:
+          readOnlyRootFilesystem: true
+          runAsUser: 0
+          privileged: true
+        limits:
+          readOnlyRootFilesystem: true
+          runAsUser: 0
+        mounts:
+          readOnlyRootFilesystem: true
+          runAsUser: 0
+        perm:
+          readOnlyRootFilesystem: true
+          runAsUser: 0
+        sysctl:
+          capabilities:
+            add:
+              - 'SYS_PTRACE'
+              - 'SYS_ADMIN'
+              - 'SYS_RAWIO'
+          readOnlyRootFilesystem: true
+          runAsUser: 0
  lifecycle:
    upgrades:
      daemonsets: