Skip to content

Commit

Permalink
fix: security context, openshift adaptation (#28)
Browse files Browse the repository at this point in the history
  • Loading branch information
@soniqua
soniqua authored Nov 12, 2024
1 parent 7f3346c commit fe4b2b4
Show file tree
Hide file tree
Showing 5 changed files with 279 additions and 73 deletions.
48 changes: 24 additions & 24 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -288,28 +288,28 @@ helm install ... --set credentialReferences.MY_GITHUB_TOKEN=<gh-pat>

### Service Account

| Name | Description | Value |
| --------------------------------------------------- | -------------------------------------------------------------------------------------------- | ---------------- |
| `serviceAccount.create` | Enable creation of a serviceAccount | `true` |
| `serviceAccount.existingName` | Optionally provide an existing serviceAccount name | `""` |
| `serviceAccount.annotations` | Additional custom annotations for the serviceAccount | `{}` |
| `serviceAccount.name` | The name of the serviceAccount to create. If not set and create is true, a name is generated | `""` |
| `podSecurityContext.enabled` | Enable security context for Broker Pods | `true` |
| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `podSecurityContext.fsGroup` | Group ID for the volumes of the pod | `1000` |
| `containerSecurityContext.enabled` | Enabled Broker containers' Security Context | `true` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `containerSecurityContext.runAsUser` | Set Broker containers' Security Context runAsUser | `1000` |
| `containerSecurityContext.runAsGroup` | Set Broker containers' Security Context runAsGroup | `1000` |
| `containerSecurityContext.allowPrivilegeEscalation` | Set Broker containers' Security Context allowPrivilegeEscalation | `false` |
| `containerSecurityContext.capabilities.drop` | Set containers' repo server Security Context capabilities to be dropped | `["ALL"]` |
| `containerSecurityContext.readOnlyRootFilesystem` | Set containers' repo server Security Context readOnlyRootFilesystem | `true` |
| `containerSecurityContext.runAsNonRoot` | Set Broker containers' Security Context runAsNonRoot | `true` |
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `extraVolumes` | Optionally specify extra list of additional volumes for Broker container | `[]` |
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for Broker container | `[]` |
| `extraEnvVars` | Optionally specify extra list of additional environment variables for Broker container | `[]` |
| Name | Description | Value |
| --------------------------------------------------- | -------------------------------------------------------------------------------------------- | ------------------ |
| `serviceAccount.create` | Enable creation of a serviceAccount | `true` |
| `serviceAccount.existingName` | Optionally provide an existing serviceAccount name | `""` |
| `serviceAccount.annotations` | Additional custom annotations for the serviceAccount | `{}` |
| `serviceAccount.name` | The name of the serviceAccount to create. If not set and create is true, a name is generated | `""` |
| `podSecurityContext.enabled` | Enable security context for Broker Pods | `true` |
| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `podSecurityContext.fsGroup` | Group ID for the volumes of the pod | `1000` |
| `containerSecurityContext.enabled` | Enable Broker container security context | `true` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options for Broker container | `{}` |
| `containerSecurityContext.runAsUser` | | `1000` |
| `containerSecurityContext.runAsGroup` | | `1000` |
| `containerSecurityContext.allowPrivilegeEscalation` | Allow the Broker container to escalate privileges | `false` |
| `containerSecurityContext.capabilities.drop` | ] Linux capabilities to drop | `""` |
| `containerSecurityContext.readOnlyRootFilesystem` | Must be set to false; Broker will write configuration to filesystem upon startup | `false` |
| `containerSecurityContext.runAsNonRoot` | Run Broker as non-root | `true` |
| `containerSecurityContext.privileged` | Run Broker as a privileged container | `false` |
| `containerSecurityContext.seccompProfile.type` | Set the `seccomProfile` for Broker | `"RunTimeDefault"` |
| `extraVolumes` | Optionally specify extra list of additional volumes for Broker container | `[]` |
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for Broker container | `[]` |
| `extraEnvVars` | Optionally specify extra list of additional environment variables for Broker container | `[]` |

76 changes: 76 additions & 0 deletions snyk-universal-broker/tests/compatibility_test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json

suite: OpenShift Compatibility
templates:
- statefulset.yaml
values:
- ../values.yaml
- fixtures/default_values.yaml

tests:
- it: Adjusts the security context for OpenShift
capabilities:
apiVersions:
- "security.openshift.io/v1"
asserts:
- notExists:
path: spec.template.spec.securityContext.fsGroup
- notExists:
path: spec.template.spec.containers[0].securityContext.runAsUser
- notExists:
path: spec.template.spec.containers[0].securityContext.runAsGroup
- notExists:
path: spec.template.spec.containers[0].securityContext.seLinuxOptions

- it: Keeps the security context if not OpenShift
asserts:
- exists:
path: spec.template.spec.securityContext.fsGroup
- exists:
path: spec.template.spec.containers[0].securityContext.runAsUser
- exists:
path: spec.template.spec.containers[0].securityContext.runAsGroup
- exists:
path: spec.template.spec.containers[0].securityContext.seLinuxOptions

- it: Allows for mounting of OpenShift CA via ConfigMap
## ref: https://docs.openshift.com/container-platform/4.9/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki
set:
extraVolumes:
- name: trusted-ca
configMap:
name: trusted-ca
items:
- key: ca-bundle.crt
path: tls-ca-bundle.pem
extraVolumeMounts:
- name: trusted-ca
mountPath: /home/node/cacert
readOnly: true
caCertMount:
path: /home/node/cacert
name: tls-ca-bundle.pem
extraEnvVars:
- name: CA_CERT
value: /home/node/cacert/tls-ca-bundle.pem
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: trusted-ca
mountPath: /home/node/cacert
readOnly: true
- contains:
path: spec.template.spec.volumes
content:
name: trusted-ca
configMap:
name: trusted-ca
items:
- key: ca-bundle.crt
path: tls-ca-bundle.pem
- contains:
path: spec.template.spec.containers[0].env
content:
name: CA_CERT
value: /home/node/cacert/tls-ca-bundle.pem
100 changes: 65 additions & 35 deletions snyk-universal-broker/tests/pod_runtimes_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,50 +7,27 @@ templates:
- statefulset.yaml

tests:
- it: should set pod security context when enabled
set:
podSecurityContext.enabled: true
podSecurityContext.fsGroup: 1001
podSecurityContext.fsGroupChangePolicy: "Always"
podSecurityContext.supplementalGroups: [2000]
podSecurityContext.sysctls:
- name: "net.core.somaxconn"
value: "1024"
- it: should set pod security context by default
asserts:
- equal:
path: spec.template.spec.securityContext.fsGroup
value: 1001
- equal:
path: spec.template.spec.securityContext.fsGroupChangePolicy
value: "Always"
- equal:
path: spec.template.spec.securityContext.supplementalGroups[0]
value: 2000
- equal:
path: spec.template.spec.securityContext.sysctls[0].name
value: "net.core.somaxconn"
- equal:
path: spec.template.spec.securityContext.sysctls[0].value
value: "1024"
value: 1000

- it: should set container security context when enabled
- it: disables pod security context
set:
containerSecurityContext.enabled: true
containerSecurityContext.runAsUser: 1001
containerSecurityContext.runAsGroup: 1001
containerSecurityContext.runAsNonRoot: true
containerSecurityContext.allowPrivilegeEscalation: false
containerSecurityContext.capabilities.drop: ["ALL"]
containerSecurityContext.seccompProfile.type: "RuntimeDefault"
containerSecurityContext.privileged: false
containerSecurityContext.readOnlyRootFilesystem: true
podSecurityContext.enabled: false
asserts:
- notExists:
path: spec.template.spec.securityContext

- it: should set container security context by default
asserts:
- equal:
path: spec.template.spec.containers[0].securityContext.runAsUser
value: 1001
value: 1000
- equal:
path: spec.template.spec.containers[0].securityContext.runAsGroup
value: 1001
value: 1000
- equal:
path: spec.template.spec.containers[0].securityContext.runAsNonRoot
value: true
Expand All @@ -68,7 +45,60 @@ tests:
value: false
- equal:
path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
value: true
value: false

- it: disables container security context
set:
containerSecurityContext.enabled: false
asserts:
- notExists:
path: spec.template.spec.containers[0].securityContext

- it: sets extra pod security context options
set:
podSecurityContext.fsGroup: 1001
podSecurityContext.fsGroupChangePolicy: "OnRootMismatch"
podSecurityContext.supplementalGroups: [2000]
podSecurityContext.sysctls:
- name: "net.core.somaxconn"
value: "1024"
asserts:
- equal:
path: spec.template.spec.securityContext.fsGroup
value: 1001
- equal:
path: spec.template.spec.securityContext.fsGroupChangePolicy
value: "OnRootMismatch"
- contains:
path: spec.template.spec.securityContext.supplementalGroups
content:
2000
- contains:
path: spec.template.spec.securityContext.sysctls
content:
name: "net.core.somaxconn"
value: "1024"

- it: sets extra container security context options
set:
containerSecurityContext.seLinuxOptions:
level: "s0:c123,c456"
containerSecurityContext.capabilities.add:
- "NET_ADMIN"
asserts:
- equal:
path: spec.template.spec.containers[0].securityContext.seLinuxOptions.level
value: "s0:c123,c456"
- contains:
path: spec.template.spec.containers[0].securityContext.capabilities.add
content:
"NET_ADMIN"

- it: fails if readOnlyRootFilesystem is `true`
set:
containerSecurityContext.readOnlyRootFilesystem: true
asserts:
- failedTemplate: {}

- it: can add tolerations
set:
Expand Down
98 changes: 96 additions & 2 deletions snyk-universal-broker/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,101 @@
}
}
},
"podSecurityContext": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"fsGroupChangePolicy": {
"type": "string",
"enum": [
"Always",
"OnRootMismatch"
]
},
"sysctls": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"value": {
"type": "string"
}
}
}
},
"supplementalGroups": {
"type": "array",
"items": {
"type": "integer"
}
},
"fsGroup": {
"type": "integer",
"default": 1000
}
}
},
"containerSecurityContext": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"seLinuxOptions": {
"type": "object"
},
"runAsUser": {
"type": "integer",
"default": 1000
},
"runAsGroup": {
"type": "integer",
"default": 1000
},
"runAsNonRoot": {
"type": "boolean",
"default": true
},
"privileged": {
"type": "boolean",
"default": false
},
"allowPrivilegeEscalation": {
"type": "boolean",
"default": false
},
"capabilities": {
"type": "object",
"properties": {
"drop": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"seccompProfile": {
"type": "object"
},
"readOnlyRootFilesystem": {
"type": "boolean",
"enum": [
false
],
"default": false
}
}
},
"global": {
"type": "object",
"additionalProperties": true
},
"additionalProperties": false
},
"additionalProperties": true
}
}
Loading

0 comments on commit fe4b2b4

Please sign in to comment.