Skip to content

Commit

Permalink
feat(chart): Make security context configurable (#4536)
Browse files Browse the repository at this point in the history
* Make security context configurable

Signed-off-by: Tamal Saha <[email protected]>

* make gen-check

Signed-off-by: Tamal Saha <[email protected]>

* Update current.yaml

Signed-off-by: Tamal Saha <[email protected]>

---------

Signed-off-by: Tamal Saha <[email protected]>
  • Loading branch information
tamalsaha authored Oct 30, 2024
1 parent f5552a4 commit 20a4622
Show file tree
Hide file tree
Showing 18 changed files with 677 additions and 46 deletions.
9 changes: 8 additions & 1 deletion charts/gateway-helm/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ To uninstall the chart:

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
| config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | |
| config.envoyGateway.logging.level.default | string | `"info"` | |
| config.envoyGateway.provider.type | string | `"Kubernetes"` | |
Expand All @@ -71,6 +71,13 @@ To uninstall the chart:
| deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | |
| deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | |
| deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | |
| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | |
| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| deployment.envoyGateway.securityContext.privileged | bool | `false` | |
| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | |
| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | |
| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | |
| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| deployment.pod.affinity | object | `{}` | |
| deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | |
| deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | |
Expand Down
12 changes: 1 addition & 11 deletions charts/gateway-helm/templates/certgen.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,17 +39,7 @@ spec:
{{- toYaml . | nindent 10 }}
{{- end }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsGroup: 65534
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
{{- toYaml .Values.certgen.job.securityContext | nindent 10 }}
{{- include "eg.image.pullSecrets" . | nindent 6 }}
{{- with .Values.certgen.job.affinity }}
affinity:
Expand Down
17 changes: 4 additions & 13 deletions charts/gateway-helm/templates/envoy-gateway-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.pod.nodeSelector }}
nodeSelector:
nodeSelector:
{{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.deployment.pod.topologySpreadConstraints }}
Expand Down Expand Up @@ -73,19 +73,10 @@ spec:
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
resources: {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10
}}
resources:
{{- toYaml .Values.deployment.envoyGateway.resources | nindent 10 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsNonRoot: true
runAsGroup: 65532
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
{{- toYaml .Values.deployment.envoyGateway.securityContext | nindent 10 }}
volumeMounts:
- mountPath: /config
name: envoy-gateway-config
Expand Down
23 changes: 23 additions & 0 deletions charts/gateway-helm/values.tmpl.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,17 @@ deployment:
requests:
cpu: 100m
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsNonRoot: true
runAsGroup: 65532
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
ports:
- name: grpc
port: 18000
Expand Down Expand Up @@ -86,6 +97,18 @@ certgen:
tolerations: []
nodeSelector: {}
ttlSecondsAfterFinished: 30
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsGroup: 65534
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
rbac:
annotations: {}
labels: {}
2 changes: 1 addition & 1 deletion release-notes/current.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ security updates: |
# New features or capabilities added in this release.
new features: |
Add a new feature here
Add support for modifying container securityContext for Envoy Gateway deployment in Helm
# Fixes for bugs identified in previous versions.
bug fixes: |
Expand Down
9 changes: 8 additions & 1 deletion site/content/en/latest/install/gateway-helm-api.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ The Helm chart for Envoy Gateway

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
| config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | |
| config.envoyGateway.logging.level.default | string | `"info"` | |
| config.envoyGateway.provider.type | string | `"Kubernetes"` | |
Expand All @@ -35,6 +35,13 @@ The Helm chart for Envoy Gateway
| deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | |
| deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | |
| deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | |
| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | |
| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| deployment.envoyGateway.securityContext.privileged | bool | `false` | |
| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | |
| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | |
| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | |
| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| deployment.pod.affinity | object | `{}` | |
| deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | |
| deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | |
Expand Down
9 changes: 8 additions & 1 deletion site/content/zh/latest/install/gateway-helm-api.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ The Helm chart for Envoy Gateway

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
| config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | |
| config.envoyGateway.logging.level.default | string | `"info"` | |
| config.envoyGateway.provider.type | string | `"Kubernetes"` | |
Expand All @@ -35,6 +35,13 @@ The Helm chart for Envoy Gateway
| deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | |
| deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | |
| deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | |
| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | |
| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| deployment.envoyGateway.securityContext.privileged | bool | `false` | |
| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | |
| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | |
| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | |
| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| deployment.pod.affinity | object | `{}` | |
| deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | |
| deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | |
Expand Down
4 changes: 2 additions & 2 deletions test/helm/gateway-helm/certjen-custom-scheduling.out.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -432,8 +432,8 @@ spec:
drop:
- ALL
privileged: false
runAsNonRoot: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
Expand Down Expand Up @@ -563,8 +563,8 @@ spec:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
Expand Down
4 changes: 2 additions & 2 deletions test/helm/gateway-helm/control-plane-with-pdb.out.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -447,8 +447,8 @@ spec:
drop:
- ALL
privileged: false
runAsNonRoot: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
Expand Down Expand Up @@ -578,8 +578,8 @@ spec:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
Expand Down
4 changes: 2 additions & 2 deletions test/helm/gateway-helm/default-config.out.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -432,8 +432,8 @@ spec:
drop:
- ALL
privileged: false
runAsNonRoot: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
Expand Down Expand Up @@ -563,8 +563,8 @@ spec:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
Expand Down
4 changes: 2 additions & 2 deletions test/helm/gateway-helm/deployment-custom-topology.out.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -460,8 +460,8 @@ spec:
drop:
- ALL
privileged: false
runAsNonRoot: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
Expand Down Expand Up @@ -591,8 +591,8 @@ spec:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
Expand Down
4 changes: 2 additions & 2 deletions test/helm/gateway-helm/deployment-images-config.out.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -432,8 +432,8 @@ spec:
drop:
- ALL
privileged: false
runAsNonRoot: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
Expand Down Expand Up @@ -565,8 +565,8 @@ spec:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
Expand Down
4 changes: 2 additions & 2 deletions test/helm/gateway-helm/deployment-priorityclass.out.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -432,8 +432,8 @@ spec:
drop:
- ALL
privileged: false
runAsNonRoot: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
Expand Down Expand Up @@ -564,8 +564,8 @@ spec:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
Expand Down
32 changes: 32 additions & 0 deletions test/helm/gateway-helm/deployment-securitycontext.in.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
global:
images:
envoyGateway:
image: "docker.io/envoyproxy/gateway-dev:latest"
pullPolicy: Always
deployment:
envoyGateway:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsNonRoot: true
runAsGroup: 1000
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
certgen:
job:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsGroup: 1000
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Loading

0 comments on commit 20a4622

Please sign in to comment.