Implement Security Context for Divingbell

Change-Id: Ibc93ccac6d6015faff3491211f5f8cb752a0328f

divingbell/templates/daemonset-apparmor.yaml

@@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "divingbell-apparmor" "containerNames" (list "apparmor") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       hostNetwork: true
       hostPID: true
       hostIPC: true
@@ -47,20 +48,21 @@ spec:
         image: {{ .Values.images.divingbell }}
         imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.apparmor | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
+{{ dict "envAll" $envAll "application" "divingbell" "container" "apparmor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
         command:
         - /tmp/{{ $daemonset }}.sh
         volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
         - name: rootfs-{{ $daemonset }}
           mountPath: {{ .Values.conf.chroot_mnt_path }}
         - name: {{ $secretName }}
           mountPath: /tmp/{{ $daemonset }}.sh
           subPath: {{ $daemonset }}
           readOnly: true
-        securityContext:
-          capabilities:
-            add:
-              - 'MAC_ADMIN'
       volumes:
+      - name: pod-tmp
+        emptyDir: {}
       - name: rootfs-{{ $daemonset }}
         hostPath:
           path: /

divingbell/templates/daemonset-apt.yaml

@@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "divingbell-apt" "containerNames" (list "apt") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       hostNetwork: true
       hostPID: true
       hostIPC: true
@@ -47,18 +48,21 @@ spec:
         image: {{ .Values.images.divingbell }}
         imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.apt | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
+{{ dict "envAll" $envAll "application" "divingbell" "container" "apt" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
         command:
         - /tmp/{{ $daemonset }}.sh
         volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
         - name: rootfs-{{ $daemonset }}
           mountPath: {{ .Values.conf.chroot_mnt_path }}
         - name: {{ $secretName }}
           mountPath: /tmp/{{ $daemonset }}.sh
           subPath: {{ $daemonset }}
           readOnly: true
-        securityContext:
-          privileged: true
       volumes:
+      - name: pod-tmp
+        emptyDir: {}
       - name: rootfs-{{ $daemonset }}
         hostPath:
           path: /

divingbell/templates/daemonset-ethtool.yaml

@@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "divingbell-ethtool" "containerNames" (list "ethtool") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       hostNetwork: true
       hostPID: true
       hostIPC: true
@@ -47,20 +48,21 @@ spec:
         image: {{ .Values.images.divingbell }}
         imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.ethtool | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
+{{ dict "envAll" $envAll "application" "divingbell" "container" "ethtool" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
         command:
         - /tmp/{{ $daemonset }}.sh
         volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
         - name: rootfs-{{ $daemonset }}
           mountPath: {{ .Values.conf.chroot_mnt_path }}
         - name: {{ $secretName }}
           mountPath: /tmp/{{ $daemonset }}.sh
           subPath: {{ $daemonset }}
           readOnly: true
-        securityContext:
-          capabilities:
-            add:
-              - 'NET_ADMIN'
       volumes:
+      - name: pod-tmp
+        emptyDir: {}
       - name: rootfs-{{ $daemonset }}
         hostPath:
           path: /

divingbell/templates/daemonset-exec.yaml

@@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "divingbell-exec" "containerNames" (list "exec") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       hostNetwork: true
       hostPID: true
       hostIPC: true
@@ -47,18 +48,21 @@ spec:
         image: {{ .Values.images.divingbell }}
         imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.exec | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
+{{ dict "envAll" $envAll "application" "divingbell" "container" "exec" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
         command:
         - /tmp/{{ $daemonset }}.sh
         volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
         - name: rootfs-{{ $daemonset }}
           mountPath: {{ .Values.conf.chroot_mnt_path }}
         - name: {{ $secretName }}
           mountPath: /tmp/{{ $daemonset }}.sh
           subPath: {{ $daemonset }}
           readOnly: true
-        securityContext:
-          privileged: true
       volumes:
+      - name: pod-tmp
+        emptyDir: {}
       - name: rootfs-{{ $daemonset }}
         hostPath:
           path: /

divingbell/templates/daemonset-limits.yaml

@@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "divingbell-limits" "containerNames" (list "limits") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       hostNetwork: true
       hostPID: true
       hostIPC: true
@@ -47,9 +48,12 @@ spec:
         image: {{ .Values.images.divingbell }}
         imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.limits | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
+{{ dict "envAll" $envAll "application" "divingbell" "container" "limits" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
         command:
         - /tmp/{{ $daemonset }}.sh
         volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
         - name: rootfs-{{ $daemonset }}
           mountPath: {{ .Values.conf.chroot_mnt_path }}
         - name: {{ $secretName }}
@@ -57,6 +61,8 @@ spec:
           subPath: {{ $daemonset }}
           readOnly: true
       volumes:
+      - name: pod-tmp
+        emptyDir: {}
       - name: rootfs-{{ $daemonset }}
         hostPath:
           path: /

divingbell/templates/daemonset-mounts.yaml

@@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "divingbell-mounts" "containerNames" (list "mounts") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       hostNetwork: true
       hostPID: true
       hostIPC: true
@@ -47,9 +48,12 @@ spec:
         image: {{ .Values.images.divingbell }}
         imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.mounts | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
+{{ dict "envAll" $envAll "application" "divingbell" "container" "mounts" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
         command:
         - /tmp/{{ $daemonset }}.sh
         volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
         - name: rootfs-{{ $daemonset }}
           mountPath: {{ .Values.conf.chroot_mnt_path }}
         - name: {{ $secretName }}
@@ -57,6 +61,8 @@ spec:
           subPath: {{ $daemonset }}
           readOnly: true
       volumes:
+      - name: pod-tmp
+        emptyDir: {}
       - name: rootfs-{{ $daemonset }}
         hostPath:
           path: /

divingbell/templates/daemonset-perm.yaml

@@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "divingbell-perm" "containerNames" (list "perm") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       hostNetwork: true
       hostPID: true
       hostIPC: true
@@ -47,9 +48,12 @@ spec:
         image: {{ .Values.images.divingbell }}
         imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.perm | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
+{{ dict "envAll" $envAll "application" "divingbell" "container" "perm" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
         command:
         - /tmp/{{ $daemonset }}.sh
         volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
         - name: rootfs-{{ $daemonset }}
           mountPath: {{ .Values.conf.chroot_mnt_path }}
         - name: {{ $secretName }}
@@ -57,6 +61,8 @@ spec:
           subPath: {{ $daemonset }}
           readOnly: true
       volumes:
+      - name: pod-tmp
+        emptyDir: {}
       - name: rootfs-{{ $daemonset }}
         hostPath:
           path: /

divingbell/templates/daemonset-sysctl.yaml

@@ -39,6 +39,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "divingbell-sysctl" "containerNames" (list "sysctl") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       hostNetwork: true
       hostPID: true
       hostIPC: true
@@ -47,22 +48,21 @@ spec:
         image: {{ .Values.images.divingbell }}
         imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.sysctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }}
+{{ dict "envAll" $envAll "application" "divingbell" "container" "sysctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }}
         command:
         - /tmp/{{ $daemonset }}.sh
         volumeMounts:
+        - name: pod-tmp
+          mountPath: /tmp
         - name: rootfs-{{ $daemonset }}
           mountPath: {{ .Values.conf.chroot_mnt_path }}
         - name: {{ $secretName }}
           mountPath: /tmp/{{ $daemonset }}.sh
           subPath: {{ $daemonset }}
           readOnly: true
-        securityContext:
-          capabilities:
-            add:
-              - 'SYS_PTRACE'
-              - 'SYS_ADMIN'
-              - 'SYS_RAWIO'
       volumes:
+      - name: pod-tmp
+        emptyDir: {}
       - name: rootfs-{{ $daemonset }}
         hostPath:
           path: /

divingbell/values.yaml

@@ -116,6 +116,48 @@ pod:
       sysctl: runtime/default
     divingbell-uamlite:
       uamlite: runtime/default
+  security_context:
+    divingbell:
+      pod:
+        runAsUser: 65534
+      container:
+        apt:
+          readOnlyRootFilesystem: true
+          runAsUser: 0
+          privileged: true
+        apparmor:
+          capabilities:
+            add:
+              - 'MAC_ADMIN'
+          readOnlyRootFilesystem: true
+          runAsUser : 0
+        ethtool:
+          capabilities:
+            add:
+              - 'NET_ADMIN'
+          readOnlyRootFilesystem: true
+          runAsUser : 0
+        exec:
+          readOnlyRootFilesystem: true
+          runAsUser: 0
+          privileged: true
+        limits:
+          readOnlyRootFilesystem: true
+          runAsUser: 0
+        mounts:
+          readOnlyRootFilesystem: true
+          runAsUser: 0
+        perm:
+          readOnlyRootFilesystem: true
+          runAsUser: 0
+        sysctl:
+          capabilities:
+            add:
+              - 'SYS_PTRACE'
+              - 'SYS_ADMIN'
+              - 'SYS_RAWIO'
+          readOnlyRootFilesystem: true
+          runAsUser: 0
   lifecycle:
     upgrades:
       daemonsets: