From c101a2e527d069a30b8ad9d98ad87b1c20f56cc3 Mon Sep 17 00:00:00 2001 From: Tuomo Tanskanen Date: Thu, 5 Jan 2023 09:35:03 +0200 Subject: [PATCH] add explicit securitycontexts to controllers Add explicit, secure securityContexts for all managers except CAPD, which is privileged and for testing purposes. These securityContexts do not change the configuration, just make it explicit and enforced, except for the seccompPolicy which changes from Unconfined to RuntimeDefault. Syscalls filtered by RuntimeDefault policy are 95% namespaced and require capabilities (which we drop) in the first place, so no practical change there either. --- bootstrap/kubeadm/config/manager/manager.yaml | 54 ++++++++----- config/manager/manager.yaml | 78 +++++++++++-------- .../kubeadm/config/manager/manager.yaml | 78 +++++++++++-------- .../src/developer/providers/v1.3-to-v1.4.md | 6 +- test/extension/config/default/manager.yaml | 20 ++++- 5 files changed, 143 insertions(+), 93 deletions(-) diff --git a/bootstrap/kubeadm/config/manager/manager.yaml b/bootstrap/kubeadm/config/manager/manager.yaml index 19b342985253..d54386179159 100644 --- a/bootstrap/kubeadm/config/manager/manager.yaml +++ b/bootstrap/kubeadm/config/manager/manager.yaml @@ -16,27 +16,35 @@ spec: control-plane: controller-manager spec: containers: - - command: - - /manager - args: - - "--leader-elect" - - "--metrics-bind-addr=localhost:8080" - - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}" - - "--bootstrap-token-ttl=${KUBEADM_BOOTSTRAP_TOKEN_TTL:=15m}" - image: controller:latest - name: manager - ports: - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - livenessProbe: - httpGet: - path: /healthz - port: healthz + - command: + - /manager + args: + - "--leader-elect" + - "--metrics-bind-addr=localhost:8080" + - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}" + - "--bootstrap-token-ttl=${KUBEADM_BOOTSTRAP_TOKEN_TTL:=15m}" + image: controller:latest + name: manager + ports: + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + livenessProbe: + httpGet: + path: /healthz + port: healthz + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsUser: 65532 + runAsGroup: 65532 terminationGracePeriodSeconds: 10 serviceAccountName: manager tolerations: @@ -44,3 +52,7 @@ spec: key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 9fd19a385afd..5ac9b39670e8 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -17,39 +17,47 @@ spec: control-plane: controller-manager spec: containers: - - command: - - /manager - args: - - "--leader-elect" - - "--metrics-bind-addr=localhost:8080" - - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false},ClusterTopology=${CLUSTER_TOPOLOGY:=false},RuntimeSDK=${EXP_RUNTIME_SDK:=false}" - image: controller:latest - name: manager - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - ports: - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - livenessProbe: - httpGet: - path: /healthz - port: healthz + - command: + - /manager + args: + - "--leader-elect" + - "--metrics-bind-addr=localhost:8080" + - "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false},ClusterTopology=${CLUSTER_TOPOLOGY:=false},RuntimeSDK=${EXP_RUNTIME_SDK:=false}" + image: controller:latest + name: manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + ports: + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + livenessProbe: + httpGet: + path: /healthz + port: healthz + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsUser: 65532 + runAsGroup: 65532 terminationGracePeriodSeconds: 10 serviceAccountName: manager tolerations: @@ -57,3 +65,7 @@ spec: key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/controlplane/kubeadm/config/manager/manager.yaml b/controlplane/kubeadm/config/manager/manager.yaml index 1566e010a702..34e85f86e86d 100644 --- a/controlplane/kubeadm/config/manager/manager.yaml +++ b/controlplane/kubeadm/config/manager/manager.yaml @@ -16,39 +16,47 @@ spec: control-plane: controller-manager spec: containers: - - command: - - /manager - args: - - "--leader-elect" - - "--metrics-bind-addr=localhost:8080" - - "--feature-gates=ClusterTopology=${CLUSTER_TOPOLOGY:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}" - image: controller:latest - name: manager - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_UID - valueFrom: - fieldRef: - fieldPath: metadata.uid - ports: - - containerPort: 9440 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: healthz - livenessProbe: - httpGet: - path: /healthz - port: healthz + - command: + - /manager + args: + - "--leader-elect" + - "--metrics-bind-addr=localhost:8080" + - "--feature-gates=ClusterTopology=${CLUSTER_TOPOLOGY:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}" + image: controller:latest + name: manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + ports: + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + livenessProbe: + httpGet: + path: /healthz + port: healthz + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsUser: 65532 + runAsGroup: 65532 terminationGracePeriodSeconds: 10 serviceAccountName: manager tolerations: @@ -56,3 +64,7 @@ spec: key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/docs/book/src/developer/providers/v1.3-to-v1.4.md b/docs/book/src/developer/providers/v1.3-to-v1.4.md index fd19f69e2389..688dca1ad69b 100644 --- a/docs/book/src/developer/providers/v1.3-to-v1.4.md +++ b/docs/book/src/developer/providers/v1.3-to-v1.4.md @@ -5,13 +5,12 @@ maintainers of providers and consumers of our Go API. ## Minimum Go version -* The Go version used by Cluster API is still Go 1.19.x +- The Go version used by Cluster API is still Go 1.19.x ## Dependencies **Note**: Only the most relevant dependencies are listed, `k8s.io/` and `ginkgo`/`gomega` dependencies in Cluster API are kept in sync with the versions used by `sigs.k8s.io/controller-runtime`. - ## Changes by Kind ### Deprecation @@ -35,5 +34,8 @@ maintainers of providers and consumers of our Go API. ### Other - `clusterctl upgrade apply` no longer requires a namespace when updating providers. It is now optional and in a future release it will be deprecated. The new syntax is `[namespace/]provider:version`. +- Cluster API controllers are now using an explicit security context by default. ### Suggested changes for providers + +- Providers should add an explicit security context to their controllers deployment, see [#7831](https://github.com/kubernetes-sigs/cluster-api/pull/7831) for reference. diff --git a/test/extension/config/default/manager.yaml b/test/extension/config/default/manager.yaml index 26acbe94e689..7d7afd36e3d9 100644 --- a/test/extension/config/default/manager.yaml +++ b/test/extension/config/default/manager.yaml @@ -14,10 +14,18 @@ spec: app: test-extension-manager spec: containers: - - command: - - /manager - image: controller:latest - name: manager + - command: + - /manager + image: controller:latest + name: manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsUser: 65532 + runAsGroup: 65532 terminationGracePeriodSeconds: 10 serviceAccountName: manager tolerations: @@ -25,3 +33,7 @@ spec: key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault