From 7502c4bfe8c29c1ecdc683f4eda591de0f79ab26 Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Thu, 10 Oct 2024 13:50:31 +0200 Subject: [PATCH 1/4] add podsecurity context for all provided pods --- charts/vaas/Chart.yaml | 4 ++-- .../vaas/templates/gateway/statefulset.yaml | 3 +++ charts/vaas/templates/gdscan/deployment.yaml | 5 +++-- .../vaas/templates/gdscan/stateful-set.yaml | 5 +++-- charts/vaas/templates/gdscan/update.yaml | 3 +++ charts/vaas/values.yaml | 20 +++++++++++++++++++ 6 files changed, 34 insertions(+), 6 deletions(-) diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml index e728968..5609e9b 100644 --- a/charts/vaas/Chart.yaml +++ b/charts/vaas/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: vaas -version: 2.1.7 +version: 2.2.0 description: Deployment of a Verdict-as-a-Service on-premise instance maintainers: - name: G DATA CyberDefense AG @@ -12,6 +12,6 @@ dependencies: condition: redis.enabled repository: oci://registry-1.docker.io/bitnamicharts - name: mini-identity-provider - version: 0.5.0 + version: 0.6.0 condition: mini-identity-provider.enabled repository: oci://ghcr.io/gdatasoftwareag diff --git a/charts/vaas/templates/gateway/statefulset.yaml b/charts/vaas/templates/gateway/statefulset.yaml index 48ec6a7..0766dcf 100644 --- a/charts/vaas/templates/gateway/statefulset.yaml +++ b/charts/vaas/templates/gateway/statefulset.yaml @@ -26,6 +26,9 @@ spec: volumes: - name: gateway-tmp emptyDir: {} + {{- if .Values.gateway.podSecurityContext.enabled }} + securityContext: {{- .Values.gateway.podSecurityContext | toYaml | nindent 10 }} + {{- end }} containers: - name: {{ include "gateway.name" . }} {{- if .Values.gateway.containerSecurityContext.enabled }} diff --git a/charts/vaas/templates/gdscan/deployment.yaml b/charts/vaas/templates/gdscan/deployment.yaml index f3cda23..d7ff120 100644 --- a/charts/vaas/templates/gdscan/deployment.yaml +++ b/charts/vaas/templates/gdscan/deployment.yaml @@ -36,6 +36,9 @@ spec: {{- end }} {{- end }} {{- include "gdscan.imagePullSecrets" . | nindent 6 }} + {{- if .Values.gdscan.client.podSecurityContext.enabled }} + securityContext: {{- .Values.gdscan.client.podSecurityContext | toYaml | nindent 10 }} + {{- end }} containers: - name: {{ .Values.gdscan.client.name }} image: '{{ .Values.gdscan.client.image.repository }}:{{ .Values.gdscan.client.image.tag | default "latest" }}' @@ -80,6 +83,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - securityContext: - fsGroup: 1654 {{- end }} diff --git a/charts/vaas/templates/gdscan/stateful-set.yaml b/charts/vaas/templates/gdscan/stateful-set.yaml index d1422c5..42bcc5d 100644 --- a/charts/vaas/templates/gdscan/stateful-set.yaml +++ b/charts/vaas/templates/gdscan/stateful-set.yaml @@ -32,6 +32,9 @@ spec: {{- include "gdscan.selectorLabels" . | nindent 8 }} spec: {{- include "gdscan.imagePullSecrets" . | nindent 6 }} + {{- if .Values.gdscan.client.podSecurityContext.enabled }} + securityContext: {{- .Values.gdscan.client.podSecurityContext | toYaml | nindent 10 }} + {{- end }} containers: - name: {{ .Values.gdscan.client.name }} image: "{{ .Values.gdscan.client.image.repository }}:{{ .Values.gdscan.client.image.tag | default .Chart.AppVersion }}" @@ -76,6 +79,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - securityContext: - fsGroup: 1654 {{- end }} \ No newline at end of file diff --git a/charts/vaas/templates/gdscan/update.yaml b/charts/vaas/templates/gdscan/update.yaml index b14195f..94d7961 100644 --- a/charts/vaas/templates/gdscan/update.yaml +++ b/charts/vaas/templates/gdscan/update.yaml @@ -71,6 +71,9 @@ spec: - key: .dockerconfigjson path: {{ .name }}.json {{- end }} + {{- if .Values.gdscan.autoUpdate.podSecurityContext.enabled }} + securityContext: {{- .Values.gdscan.autoUpdate.podSecurityContext | toYaml | nindent 12 }} + {{- end }} containers: - name: updater image: "{{ .Values.gdscan.autoUpdate.image.registry }}/{{ .Values.gdscan.autoUpdate.image.repository }}:{{ .Values.gdscan.autoUpdate.image.tag }}" diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml index 47e0822..57c883d 100644 --- a/charts/vaas/values.yaml +++ b/charts/vaas/values.yaml @@ -43,6 +43,18 @@ mini-identity-provider: tolerations: [] affinity: {} + podSecurityContext: + enabled: false + + containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault + cloud: hashLookup: enabled: true @@ -123,6 +135,9 @@ gateway: cpu: 0.5 memory: 256Mi + podSecurityContext: + enabled: false + containerSecurityContext: enabled: true readOnlyRootFilesystem: true @@ -171,6 +186,9 @@ gdscan: repository: ghcr.io/gdatasoftwareag/vaas/scanner pullPolicy: Always tag: "1" + podSecurityContext: + enabled: true + fsGroup: 1654 containerSecurityContext: enabled: true readOnlyRootFilesystem: true @@ -236,6 +254,8 @@ gdscan: registry: ghcr.io/gdatasoftwareag repository: vaas/scanner-updater tag: "0.4.1" + podSecurityContext: + enabled: false containerSecurityContext: enabled: true readOnlyRootFilesystem: true From 82b00a89a7ce16141f196285b217516c44eb22b3 Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Fri, 11 Oct 2024 11:00:57 +0200 Subject: [PATCH 2/4] set fsGroup for all running pods and fix condition for enabled psc --- charts/vaas/templates/gateway/statefulset.yaml | 2 +- charts/vaas/templates/gdscan/deployment.yaml | 2 +- charts/vaas/templates/gdscan/stateful-set.yaml | 2 +- charts/vaas/templates/gdscan/update.yaml | 2 +- charts/vaas/values.yaml | 11 ++++++++--- helm.sh | 2 +- 6 files changed, 13 insertions(+), 8 deletions(-) diff --git a/charts/vaas/templates/gateway/statefulset.yaml b/charts/vaas/templates/gateway/statefulset.yaml index 0766dcf..5a6cb33 100644 --- a/charts/vaas/templates/gateway/statefulset.yaml +++ b/charts/vaas/templates/gateway/statefulset.yaml @@ -27,7 +27,7 @@ spec: - name: gateway-tmp emptyDir: {} {{- if .Values.gateway.podSecurityContext.enabled }} - securityContext: {{- .Values.gateway.podSecurityContext | toYaml | nindent 10 }} + securityContext: {{- omit .Values.gateway.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} containers: - name: {{ include "gateway.name" . }} diff --git a/charts/vaas/templates/gdscan/deployment.yaml b/charts/vaas/templates/gdscan/deployment.yaml index d7ff120..2cba576 100644 --- a/charts/vaas/templates/gdscan/deployment.yaml +++ b/charts/vaas/templates/gdscan/deployment.yaml @@ -37,7 +37,7 @@ spec: {{- end }} {{- include "gdscan.imagePullSecrets" . | nindent 6 }} {{- if .Values.gdscan.client.podSecurityContext.enabled }} - securityContext: {{- .Values.gdscan.client.podSecurityContext | toYaml | nindent 10 }} + securityContext: {{- omit .Values.gdscan.client.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} containers: - name: {{ .Values.gdscan.client.name }} diff --git a/charts/vaas/templates/gdscan/stateful-set.yaml b/charts/vaas/templates/gdscan/stateful-set.yaml index 42bcc5d..72b3c35 100644 --- a/charts/vaas/templates/gdscan/stateful-set.yaml +++ b/charts/vaas/templates/gdscan/stateful-set.yaml @@ -33,7 +33,7 @@ spec: spec: {{- include "gdscan.imagePullSecrets" . | nindent 6 }} {{- if .Values.gdscan.client.podSecurityContext.enabled }} - securityContext: {{- .Values.gdscan.client.podSecurityContext | toYaml | nindent 10 }} + securityContext: {{- omit .Values.gdscan.client.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} containers: - name: {{ .Values.gdscan.client.name }} diff --git a/charts/vaas/templates/gdscan/update.yaml b/charts/vaas/templates/gdscan/update.yaml index 94d7961..c8daeb4 100644 --- a/charts/vaas/templates/gdscan/update.yaml +++ b/charts/vaas/templates/gdscan/update.yaml @@ -72,7 +72,7 @@ spec: path: {{ .name }}.json {{- end }} {{- if .Values.gdscan.autoUpdate.podSecurityContext.enabled }} - securityContext: {{- .Values.gdscan.autoUpdate.podSecurityContext | toYaml | nindent 12 }} + securityContext: {{- omit .Values.gdscan.autoUpdate.podSecurityContext "enabled" | toYaml | nindent 12 }} {{- end }} containers: - name: updater diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml index 57c883d..17730bd 100644 --- a/charts/vaas/values.yaml +++ b/charts/vaas/values.yaml @@ -44,7 +44,7 @@ mini-identity-provider: affinity: {} podSecurityContext: - enabled: false + fsGroup: 1654 containerSecurityContext: readOnlyRootFilesystem: true @@ -136,7 +136,8 @@ gateway: memory: 256Mi podSecurityContext: - enabled: false + enabled: true + fsGroup: 1654 containerSecurityContext: enabled: true @@ -255,7 +256,8 @@ gdscan: repository: vaas/scanner-updater tag: "0.4.1" podSecurityContext: - enabled: false + enabled: true + fsGroup: 1654 containerSecurityContext: enabled: true readOnlyRootFilesystem: true @@ -288,6 +290,9 @@ redis: memory: 64Mi persistence: enabled: false + podSecurityContext: + enabled: true + fsGroup: 1654 containerSecurityContext: enabled: true readOnlyRootFilesystem: true diff --git a/helm.sh b/helm.sh index 2e49f7f..43c122a 100755 --- a/helm.sh +++ b/helm.sh @@ -13,4 +13,4 @@ VALUES_FILE=$1 helm dep up charts/vaas helm lint charts/vaas -f $VALUES_FILE helm template charts/vaas -f $VALUES_FILE -helm upgrade --install vaas charts/vaas -f $VALUES_FILE -n vaas --create-namespace +helm upgrade --install vaas charts/vaas -f $VALUES_FILE -n vaas --create-namespace --debug From 2b62047966c2d26cf248d6e6f0f2b2284426db58 Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Fri, 11 Oct 2024 11:06:13 +0200 Subject: [PATCH 3/4] adjust docu --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9f9934c..5fdc6cf 100644 --- a/README.md +++ b/README.md @@ -224,7 +224,8 @@ In addition, Sentry will always behave as follows: | gateway.resources.limits.memory | Maximum memory usage | 512Mi | | gateway.resources.requests.cpu | Requested CPU performance | 0.5 | | gateway.resources.requests.memory | Requested memory usage | 256Mi | -| gateway.containerSecurityContext.enabled | Enable/Disable container security context | false | +| gateway.containerSecurityContext.enabled | Enable/Disable container security context | true | +| gateway.podSecurityContext.enabled | Enable/Disable pod security context | true | | gateway.uploadUrl | URL for the upload service | "http://localhost:8080/upload" | | gateway.podAnnotations | Annotations for pods | {} | | gateway.nodeSelector | Node labels for pod assignment | {} | From 1daeaa3ba49bd0c745aab31b0f70236a1dadd0b5 Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Fri, 11 Oct 2024 11:22:09 +0200 Subject: [PATCH 4/4] fix linting issues --- charts/vaas/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml index 17730bd..8485e21 100644 --- a/charts/vaas/values.yaml +++ b/charts/vaas/values.yaml @@ -53,7 +53,7 @@ mini-identity-provider: capabilities: drop: ["ALL"] seccompProfile: - type: RuntimeDefault + type: RuntimeDefault cloud: hashLookup: