Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(helm): add control for securityContext #701

Merged
merged 2 commits into from
Feb 10, 2023
Merged

refactor(helm): add control for securityContext #701

merged 2 commits into from
Feb 10, 2023

Conversation

zvlb
Copy link
Contributor

@zvlb zvlb commented Feb 10, 2023

Signed-off-by: Zemtsov Vladimir [email protected]

Small feature for control securityContext in helm

Local test:

~ kind create cluster
...


~ k cluster-info
Kubernetes control plane is running at https://127.0.0.1:60977
CoreDNS is running at https://127.0.0.1:60977/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.


~ helm install capsule . -n capsule-system --create-namespace
NAME: capsule
LAST DEPLOYED: Fri Feb 10 09:57:02 2023
NAMESPACE: capsule-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
  ...

~ k get deployments.apps -n capsule-system capsule-controller-manager -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  ...
  name: capsule-controller-manager
  namespace: capsule-system
  ...
spec:
  ...
  template:
    ...
    spec:
      containers:
      - ...
        ...
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
        ...
      ...
      securityContext:
        runAsGroup: 1002
        runAsNonRoot: true
        runAsUser: 1002
      ...



~ k create -f - << EOF
apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
  name: oil
spec:
  owners:
  - name: alice
    kind: User
EOF
tenant.capsule.clastix.io/oil created


~ k get tenants
NAME   STATE    NAMESPACE QUOTA   NAMESPACE COUNT   NODE SELECTOR   AGE
oil    Active                     0                                 4s


~ ../../hack/create-user.sh alice oil
creating certs in TMPDIR /var/folders/c7/78_t4pvj5zd2qrcwgq05h7_40000gn/T/tmp.Sr8bOiQ3
merging groups /O=capsule.clastix.io
Generating RSA private key, 2048 bit long modulus
......................................+++
........+++
e is 65537 (0x10001)
certificatesigningrequest.certificates.k8s.io/alice-oil created
certificatesigningrequest.certificates.k8s.io/alice-oil approved
kubeconfig file is: alice-oil.kubeconfig
to use it as alice export KUBECONFIG=alice-oil.kubeconfig


~ export KUBECONFIG=alice-oil.kubeconfig
~ k create namespace oil-production
namespace/oil-production created

~ k create namespace oil-development
namespace/oil-development created


~ export KUBECONFIG=
~ k get tenant oil
NAME   STATE    NAMESPACE QUOTA   NAMESPACE COUNT   NODE SELECTOR   AGE
oil    Active                     2                                 38s

@netlify
Copy link

netlify bot commented Feb 10, 2023
edited
Loading

Deploy Preview for capsule-documentation canceled.

Name Link
🔨 Latest commit 60d4f62
🔍 Latest deploy log https://app.netlify.com/sites/capsule-documentation/deploys/63e60a1fbbca060008ac8474

@zvlb
Copy link
Contributor Author

zvlb commented Feb 10, 2023

This PR continuation of this - #693

SecurityContext I take from this issue - #680

@prometherion
Copy link
Member

Astonishing work, @zvlb! <3

@oliverbaehler may I ask for your review on this?

@prometherion prometherion linked an issue Feb 10, 2023 that may be closed by this pull request
feat: default pod security standards #680
Closed
oliverbaehler
oliverbaehler requested changes Feb 10, 2023
View reviewed changes
Copy link
Collaborator

@oliverbaehler oliverbaehler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution. Please look at my suggested change and retest everything :)

charts/capsule/values.yaml Show resolved Hide resolved
@zvlb
Copy link
Contributor Author

zvlb commented Feb 10, 2023

I added default seccompProfile and retest capsule. All work good

@zvlb zvlb requested a review from oliverbaehler February 10, 2023 09:13
@oliverbaehler
Copy link
Collaborator

oliverbaehler commented Feb 10, 2023
edited
Loading

@zvlb Thanks for the changes,

What I can still reproduce, is that when I install capsule with from your fork, the controller has one restart (Tested with 3 helm installations):

╰─○ kubectl logs -f capsule-controller-manager-75df7c7f56-frrc6 -n capsule-system                                           
{"level":"info","ts":"2023-02-10T11:33:40.825Z","logger":"setup","msg":"Capsule Version v0.2.1 d92f1e7"}
{"level":"info","ts":"2023-02-10T11:33:40.825Z","logger":"setup","msg":"Build from: https://github.com/clastix/capsule"}
{"level":"info","ts":"2023-02-10T11:33:40.825Z","logger":"setup","msg":"Build date: 2023-01-31T16:01:21"}
{"level":"info","ts":"2023-02-10T11:33:40.825Z","logger":"setup","msg":"Go Version: go1.18.10"}
{"level":"info","ts":"2023-02-10T11:33:40.825Z","logger":"setup","msg":"Go OS/Arch: linux/amd64"}
{"level":"info","ts":"2023-02-10T11:33:40.927Z","logger":"controller-runtime.metrics","msg":"Metrics server is starting to listen","addr":":8080"}
{"level":"info","ts":"2023-02-10T11:33:41.023Z","logger":"controllers.TLS","msg":"Generating new TLS certificate"}
{"level":"error","ts":"2023-02-10T11:34:30.524Z","logger":"controllers.TLS","msg":"cannot update Capsule TLS","error":"client rate limiter Wait returned an error: context canceled","stacktrace":"main.main\n\t/workspace/main.go:194\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:250"}
{"level":"error","ts":"2023-02-10T11:34:30.524Z","logger":"setup","msg":"unable to reconcile Capsule TLS secret","error":"client rate limiter Wait returned an error: context canceled","stacktrace":"main.main\n\t/workspace/main.go:195\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:250"}

What's the behavior for you? (Just want to make sure this doesn't break the default deployment) :)

oliverbaehler
oliverbaehler approved these changes Feb 10, 2023
View reviewed changes
Copy link
Collaborator

@oliverbaehler oliverbaehler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@prometherion
Copy link
Member

What's the behavior for you? (Just want to make sure this doesn't break the default deployment) :)

It's something I experienced too, it happens time to time while generating the webhook certificates.

We should increase the memory of the Controller to avoid this.

@prometherion prometherion merged commit 770ad22 into projectcapsule:master Feb 10, 2023
@zvlb
Copy link
Contributor Author

zvlb commented Feb 10, 2023
edited
Loading

Hi. I have a question.
Why step "release" was skipped?
https://github.com/clastix/capsule/actions/runs/4143616968

@prometherion
Copy link
Member

Because I merged the PR and hadn't pushed the Helm tag:

https://github.com/clastix/capsule/blob/770ad22170d5484de7093bdcf8aa27178e9e95fe/.github/workflows/helm.yml#L70-L86

Please, note line nr. 71

Just pushed the related tag and the new Chart version is available, remember to issue helm repo update to get your local cache updated!

@zvlb
Copy link
Contributor Author

zvlb commented Feb 10, 2023

TY!

@zvlb zvlb mentioned this pull request Feb 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oliverbaehler oliverbaehler oliverbaehler approved these changes

@prometherion prometherion prometherion approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat: default pod security standards
3 participants
@zvlb @prometherion @oliverbaehler