Improve default security settings #439
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Add default seccomp profile * Add pod security context * Enable read-only root filesystem by default * Disable default service links Closes: pganalyze#435
|
Tested this with the command: Here's the resulting pod (with a few fields removed): $ k get pod pganalyze-pganalyze-collector-77bcd6b6b6-vgp4z -o yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2023-07-28T03:44:56Z"
generateName: pganalyze-pganalyze-collector-77bcd6b6b6-
labels:
app.kubernetes.io/instance: pganalyze
app.kubernetes.io/name: pganalyze-collector
pod-template-hash: 77bcd6b6b6
name: pganalyze-pganalyze-collector-77bcd6b6b6-vgp4z
namespace: jawnsy-test
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: pganalyze-pganalyze-collector-77bcd6b6b6
uid: 9f8df1df-a047-48ce-ad07-b9e810af6faa
resourceVersion: "70758548"
uid: 8f834c68-6cdb-41f9-b1e3-00776df3ba46
spec:
containers:
- image: quay.io/pganalyze/collector:v0.50.1
imagePullPolicy: IfNotPresent
name: pganalyze-collector
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: "0"
memory: "0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /tmp
name: scratch
subPath: tmp
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-w5ckd
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: false
nodeName: gke-internal-tools-d-application-13b4-a1815e79-tzn5
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccount: pganalyze-pganalyze-collector
serviceAccountName: pganalyze-pganalyze-collector
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- emptyDir: {}
name: scratch
- name: kube-api-access-w5ckd
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2023-07-28T03:44:56Z"
status: "True"
type: Initialized
- lastProbeTime: null
lastTransitionTime: "2023-07-28T03:44:57Z"
status: "True"
type: Ready
- lastProbeTime: null
lastTransitionTime: "2023-07-28T03:44:57Z"
status: "True"
type: ContainersReady
- lastProbeTime: null
lastTransitionTime: "2023-07-28T03:44:56Z"
status: "True"
type: PodScheduled
containerStatuses:
- containerID: containerd://10106bd5210591d1e464b6a9d316195e5719dcb0b8ded8e4a817ef93f7f5dcd9
image: quay.io/pganalyze/collector:v0.50.1
imageID: quay.io/pganalyze/collector@sha256:bdf21b3a1e9252fc9e6b8bda20a7089db77f79e677811e9592c1c8abaaf3a151
lastState: {}
name: pganalyze-collector
ready: true
restartCount: 0
started: true
state:
running:
startedAt: "2023-07-28T03:44:57Z"
phase: Running
qosClass: Burstable
startTime: "2023-07-28T03:44:56Z" |
jawnsy
commented
Jul 28, 2023
lfittl
reviewed
Jul 28, 2023
| volumeMounts: | ||
| - mountPath: /tmp | ||
| name: scratch | ||
| subPath: tmp |
There was a problem hiding this comment.
Given the read-only root filesystem setting, I wonder if we also need to create a volume mount for /state?
(which is where the state file is written to - whilst that is mainly intended to support restarts outside of a container-based environment, it avoids errors that would likely occur when /state is no writeable)
See https://github.com/pganalyze/collector/blob/main/contrib/docker-entrypoint.sh#L23
There was a problem hiding this comment.
Ah, yes, absolutely! I didn't know about this file
lfittl
approved these changes
Aug 11, 2023
|
Merged with small edits - thanks for the contribution! |
|
@lfittl Thanks for finishing this up and for merging! Apologies for the delay, I was out of town last week :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes: #435