Browse Source

Implement Security Context for Divingbell

Change-Id: Ibc93ccac6d6015faff3491211f5f8cb752a0328f
changes/85/707885/23
Prateek Dodda 5 months ago
parent
commit
30200a54d9
9 changed files with 90 additions and 18 deletions
  1. +6
    -4
      divingbell/templates/daemonset-apparmor.yaml
  2. +6
    -2
      divingbell/templates/daemonset-apt.yaml
  3. +6
    -4
      divingbell/templates/daemonset-ethtool.yaml
  4. +6
    -2
      divingbell/templates/daemonset-exec.yaml
  5. +6
    -0
      divingbell/templates/daemonset-limits.yaml
  6. +6
    -0
      divingbell/templates/daemonset-mounts.yaml
  7. +6
    -0
      divingbell/templates/daemonset-perm.yaml
  8. +6
    -6
      divingbell/templates/daemonset-sysctl.yaml
  9. +42
    -0
      divingbell/values.yaml

+ 6
- 4
divingbell/templates/daemonset-apparmor.yaml View File

@@ -39,6 +39,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "divingbell-apparmor" "containerNames" (list "apparmor") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
hostNetwork: true
hostPID: true
hostIPC: true
@@ -47,20 +48,21 @@ spec:
image: {{ .Values.images.divingbell }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.apparmor | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
{{ dict "envAll" $envAll "application" "divingbell" "container" "apparmor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
command:
- /tmp/{{ $daemonset }}.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: rootfs-{{ $daemonset }}
mountPath: {{ .Values.conf.chroot_mnt_path }}
- name: {{ $secretName }}
mountPath: /tmp/{{ $daemonset }}.sh
subPath: {{ $daemonset }}
readOnly: true
securityContext:
capabilities:
add:
- 'MAC_ADMIN'
volumes:
- name: pod-tmp
emptyDir: {}
- name: rootfs-{{ $daemonset }}
hostPath:
path: /


+ 6
- 2
divingbell/templates/daemonset-apt.yaml View File

@@ -39,6 +39,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "divingbell-apt" "containerNames" (list "apt") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
hostNetwork: true
hostPID: true
hostIPC: true
@@ -47,18 +48,21 @@ spec:
image: {{ .Values.images.divingbell }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.apt | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
{{ dict "envAll" $envAll "application" "divingbell" "container" "apt" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
command:
- /tmp/{{ $daemonset }}.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: rootfs-{{ $daemonset }}
mountPath: {{ .Values.conf.chroot_mnt_path }}
- name: {{ $secretName }}
mountPath: /tmp/{{ $daemonset }}.sh
subPath: {{ $daemonset }}
readOnly: true
securityContext:
privileged: true
volumes:
- name: pod-tmp
emptyDir: {}
- name: rootfs-{{ $daemonset }}
hostPath:
path: /


+ 6
- 4
divingbell/templates/daemonset-ethtool.yaml View File

@@ -39,6 +39,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "divingbell-ethtool" "containerNames" (list "ethtool") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
hostNetwork: true
hostPID: true
hostIPC: true
@@ -47,20 +48,21 @@ spec:
image: {{ .Values.images.divingbell }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.ethtool | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
{{ dict "envAll" $envAll "application" "divingbell" "container" "ethtool" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
command:
- /tmp/{{ $daemonset }}.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: rootfs-{{ $daemonset }}
mountPath: {{ .Values.conf.chroot_mnt_path }}
- name: {{ $secretName }}
mountPath: /tmp/{{ $daemonset }}.sh
subPath: {{ $daemonset }}
readOnly: true
securityContext:
capabilities:
add:
- 'NET_ADMIN'
volumes:
- name: pod-tmp
emptyDir: {}
- name: rootfs-{{ $daemonset }}
hostPath:
path: /


+ 6
- 2
divingbell/templates/daemonset-exec.yaml View File

@@ -39,6 +39,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "divingbell-exec" "containerNames" (list "exec") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
hostNetwork: true
hostPID: true
hostIPC: true
@@ -47,18 +48,21 @@ spec:
image: {{ .Values.images.divingbell }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.exec | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
{{ dict "envAll" $envAll "application" "divingbell" "container" "exec" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
command:
- /tmp/{{ $daemonset }}.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: rootfs-{{ $daemonset }}
mountPath: {{ .Values.conf.chroot_mnt_path }}
- name: {{ $secretName }}
mountPath: /tmp/{{ $daemonset }}.sh
subPath: {{ $daemonset }}
readOnly: true
securityContext:
privileged: true
volumes:
- name: pod-tmp
emptyDir: {}
- name: rootfs-{{ $daemonset }}
hostPath:
path: /


+ 6
- 0
divingbell/templates/daemonset-limits.yaml View File

@@ -39,6 +39,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "divingbell-limits" "containerNames" (list "limits") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
hostNetwork: true
hostPID: true
hostIPC: true
@@ -47,9 +48,12 @@ spec:
image: {{ .Values.images.divingbell }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.limits | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
{{ dict "envAll" $envAll "application" "divingbell" "container" "limits" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
command:
- /tmp/{{ $daemonset }}.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: rootfs-{{ $daemonset }}
mountPath: {{ .Values.conf.chroot_mnt_path }}
- name: {{ $secretName }}
@@ -57,6 +61,8 @@ spec:
subPath: {{ $daemonset }}
readOnly: true
volumes:
- name: pod-tmp
emptyDir: {}
- name: rootfs-{{ $daemonset }}
hostPath:
path: /


+ 6
- 0
divingbell/templates/daemonset-mounts.yaml View File

@@ -39,6 +39,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "divingbell-mounts" "containerNames" (list "mounts") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
hostNetwork: true
hostPID: true
hostIPC: true
@@ -47,9 +48,12 @@ spec:
image: {{ .Values.images.divingbell }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.mounts | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
{{ dict "envAll" $envAll "application" "divingbell" "container" "mounts" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
command:
- /tmp/{{ $daemonset }}.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: rootfs-{{ $daemonset }}
mountPath: {{ .Values.conf.chroot_mnt_path }}
- name: {{ $secretName }}
@@ -57,6 +61,8 @@ spec:
subPath: {{ $daemonset }}
readOnly: true
volumes:
- name: pod-tmp
emptyDir: {}
- name: rootfs-{{ $daemonset }}
hostPath:
path: /


+ 6
- 0
divingbell/templates/daemonset-perm.yaml View File

@@ -39,6 +39,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "divingbell-perm" "containerNames" (list "perm") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
hostNetwork: true
hostPID: true
hostIPC: true
@@ -47,9 +48,12 @@ spec:
image: {{ .Values.images.divingbell }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.perm | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
{{ dict "envAll" $envAll "application" "divingbell" "container" "perm" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
command:
- /tmp/{{ $daemonset }}.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: rootfs-{{ $daemonset }}
mountPath: {{ .Values.conf.chroot_mnt_path }}
- name: {{ $secretName }}
@@ -57,6 +61,8 @@ spec:
subPath: {{ $daemonset }}
readOnly: true
volumes:
- name: pod-tmp
emptyDir: {}
- name: rootfs-{{ $daemonset }}
hostPath:
path: /


+ 6
- 6
divingbell/templates/daemonset-sysctl.yaml View File

@@ -39,6 +39,7 @@ spec:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
{{ dict "envAll" $envAll "podName" "divingbell-sysctl" "containerNames" (list "sysctl") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
hostNetwork: true
hostPID: true
hostIPC: true
@@ -47,22 +48,21 @@ spec:
image: {{ .Values.images.divingbell }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.sysctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
{{ dict "envAll" $envAll "application" "divingbell" "container" "sysctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
command:
- /tmp/{{ $daemonset }}.sh
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: rootfs-{{ $daemonset }}
mountPath: {{ .Values.conf.chroot_mnt_path }}
- name: {{ $secretName }}
mountPath: /tmp/{{ $daemonset }}.sh
subPath: {{ $daemonset }}
readOnly: true
securityContext:
capabilities:
add:
- 'SYS_PTRACE'
- 'SYS_ADMIN'
- 'SYS_RAWIO'
volumes:
- name: pod-tmp
emptyDir: {}
- name: rootfs-{{ $daemonset }}
hostPath:
path: /


+ 42
- 0
divingbell/values.yaml View File

@@ -116,6 +116,48 @@ pod:
sysctl: runtime/default
divingbell-uamlite:
uamlite: runtime/default
security_context:
divingbell:
pod:
runAsUser: 65534
container:
apt:
readOnlyRootFilesystem: true
runAsUser: 0
privileged: true
apparmor:
capabilities:
add:
- 'MAC_ADMIN'
readOnlyRootFilesystem: true
runAsUser : 0
ethtool:
capabilities:
add:
- 'NET_ADMIN'
readOnlyRootFilesystem: true
runAsUser : 0
exec:
readOnlyRootFilesystem: true
runAsUser: 0
privileged: true
limits:
readOnlyRootFilesystem: true
runAsUser: 0
mounts:
readOnlyRootFilesystem: true
runAsUser: 0
perm:
readOnlyRootFilesystem: true
runAsUser: 0
sysctl:
capabilities:
add:
- 'SYS_PTRACE'
- 'SYS_ADMIN'
- 'SYS_RAWIO'
readOnlyRootFilesystem: true
runAsUser: 0
lifecycle:
upgrades:
daemonsets:


Loading…
Cancel
Save