From f94193bdcbb26bb687d1c6af7660f520a25d8e26 Mon Sep 17 00:00:00 2001 From: gabriel Date: Wed, 24 Jul 2024 18:47:50 -0300 Subject: [PATCH 1/6] Enable security context --- templates/deployment.yaml | 44 +++++++++++++++++++++++++++++++++++++++ values.yaml | 9 ++------ 2 files changed, 46 insertions(+), 7 deletions(-) diff --git a/templates/deployment.yaml b/templates/deployment.yaml index 76be3aa..2d5ab68 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -45,6 +45,38 @@ spec: tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} {{- end }} volumes: + - name: cyral-sidecar-supervisor + emptyDir: {} + - name: cyral-sidecar-fluentbit + emptyDir: {} + - name: cyral-sidecar-openresty + emptyDir: {} + - name: cyral-sidecar-openresty-local + emptyDir: {} + - name: cyral-sidecar-nginx + emptyDir: {} + - name: cyral-sidecar-ca-bundles + emptyDir: {} + initContainers: + - name: init-sidecar + image: {{ include "cyral.image" . }} + volumeMounts: + - name: cyral-sidecar-supervisor + mountPath: /supervisor-temp + - name: cyral-sidecar-fluentbit + mountPath: /fluentbit-temp + - name: cyral-sidecar-openresty-local + mountPath: /openresty-temp + - name: cyral-sidecar-nginx + mountPath: /nginx-temp + command: + - "sh" + - "-c" + - | + cp -R /etc/supervisor/. /supervisor-temp && + cp -R /etc/fluent-bit/. /fluentbit-temp && + cp -R /usr/local/openresty/. /openresty-temp && + cp -R /etc/nginx/. /nginx-temp containers: - name: cyral-sidecar image: {{ include "cyral.image" . }} @@ -134,6 +166,18 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} {{- end }} volumeMounts: + - name: cyral-sidecar-supervisor + mountPath: /etc/supervisor + - name: cyral-sidecar-fluentbit + mountPath: /etc/fluent-bit + - name: cyral-sidecar-openresty + mountPath: /var/run/openresty + - name: cyral-sidecar-openresty-local + mountPath: /usr/local/openresty + - name: cyral-sidecar-nginx + mountPath: /etc/nginx + - name: cyral-sidecar-ca-bundles + mountPath: /etc/cyral/cyral-certificate-manager/bundles {{- if .Values.extraVolumeMounts }} {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} diff --git a/values.yaml b/values.yaml index 631a156..354ffce 100644 --- a/values.yaml +++ b/values.yaml @@ -204,15 +204,10 @@ podSecurityContext: ## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: - enabled: false - seLinuxOptions: null - runAsUser: 1001 + enabled: true + runAsUser: 65534 runAsNonRoot: true - privileged: false readOnlyRootFilesystem: false - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] seccompProfile: type: "RuntimeDefault" ## Configures the ports Cyral Sidecar listens on From f69386932dc320cdd23e9b778df9bc82b3c5d63d Mon Sep 17 00:00:00 2001 From: gabriel Date: Wed, 24 Jul 2024 22:32:44 -0300 Subject: [PATCH 2/6] Add docs and missing definitions --- README.md | 8 ++++---- values.yaml | 5 +++++ 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 9518701..6d1c58c 100644 --- a/README.md +++ b/README.md @@ -101,14 +101,14 @@ The command removes all the Kubernetes components associated with the chart and | `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | | `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set Cyral Sidecar pod's Security Context fsGroup | `1001` | -| `containerSecurityContext.enabled` | Enabled containers' Security Context | `false` | +| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `65534` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | -| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `true` | +| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `[]` | | `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `containerPorts` | Map of all ports inside Cyral Sidecar container | `{}` | | `extraContainerPorts` | Array of additional container ports for the Cyral Sidecar container | `[]` | diff --git a/values.yaml b/values.yaml index 354ffce..5a5f7ae 100644 --- a/values.yaml +++ b/values.yaml @@ -205,11 +205,16 @@ podSecurityContext: ## containerSecurityContext: enabled: true + seLinuxOptions: null runAsUser: 65534 runAsNonRoot: true + privileged: false readOnlyRootFilesystem: false + allowPrivilegeEscalation: true seccompProfile: type: "RuntimeDefault" + capabilities: + drop: [] ## Configures the ports Cyral Sidecar listens on ## @param containerPorts [object] Map of all ports inside Cyral Sidecar container ## From 391eccf6c1b788a381ea4892ad11a87993e668ac Mon Sep 17 00:00:00 2001 From: gabriel Date: Wed, 24 Jul 2024 22:42:38 -0300 Subject: [PATCH 3/6] just ordering --- values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/values.yaml b/values.yaml index 5a5f7ae..6a19806 100644 --- a/values.yaml +++ b/values.yaml @@ -211,10 +211,10 @@ containerSecurityContext: privileged: false readOnlyRootFilesystem: false allowPrivilegeEscalation: true - seccompProfile: - type: "RuntimeDefault" capabilities: drop: [] + seccompProfile: + type: "RuntimeDefault" ## Configures the ports Cyral Sidecar listens on ## @param containerPorts [object] Map of all ports inside Cyral Sidecar container ## From 50f53e3edd31ccb0e46d4caf56c49d9fadf81e02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ant=C3=B4nio=20Franco?= <13881523+antoniomrfranco@users.noreply.github.com> Date: Thu, 25 Jul 2024 17:12:57 -0300 Subject: [PATCH 4/6] Set ip_unprivileged_port_start to 0 --- values.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index 6a19806..5904e0d 100644 --- a/values.yaml +++ b/values.yaml @@ -188,7 +188,9 @@ rbac: podSecurityContext: enabled: false fsGroupChangePolicy: Always - sysctls: [] + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" supplementalGroups: [] fsGroup: 1001 ## Cyral Sidecar containers' Security Context. From 0c9aca2747790cff2f5d0e813e5b6519ebde39a1 Mon Sep 17 00:00:00 2001 From: gabriel Date: Thu, 25 Jul 2024 17:26:16 -0300 Subject: [PATCH 5/6] remove privilege escalation and enable podsecuritycontext --- values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/values.yaml b/values.yaml index 5904e0d..4e742d7 100644 --- a/values.yaml +++ b/values.yaml @@ -186,7 +186,7 @@ rbac: ## @param podSecurityContext.fsGroup Set Cyral Sidecar pod's Security Context fsGroup ## podSecurityContext: - enabled: false + enabled: true fsGroupChangePolicy: Always sysctls: - name: net.ipv4.ip_unprivileged_port_start @@ -212,7 +212,7 @@ containerSecurityContext: runAsNonRoot: true privileged: false readOnlyRootFilesystem: false - allowPrivilegeEscalation: true + allowPrivilegeEscalation: false capabilities: drop: [] seccompProfile: From 650b7cd72885371256a64666ec49585593e844b1 Mon Sep 17 00:00:00 2001 From: gabriel Date: Thu, 25 Jul 2024 18:12:35 -0300 Subject: [PATCH 6/6] update docs --- README.md | 5 ++--- values.yaml | 5 +---- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 6d1c58c..c76065f 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,7 @@ The command removes all the Kubernetes components associated with the chart and | `serviceAccount.automountServiceAccountToken` | Auto-mount the service account token in the pod | `true` | | `rbac.create` | Create Role and RoleBinding | `true` | | `rbac.rules` | Custom RBAC rules to set | `[]` | -| `podSecurityContext.enabled` | Enabled Cyral Sidecar pods' Security Context | `false` | +| `podSecurityContext.enabled` | Enabled Cyral Sidecar pods' Security Context | `true` | | `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | | `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | | `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | @@ -107,8 +107,7 @@ The command removes all the Kubernetes components associated with the chart and | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | -| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `true` | -| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `[]` | +| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `containerPorts` | Map of all ports inside Cyral Sidecar container | `{}` | | `extraContainerPorts` | Array of additional container ports for the Cyral Sidecar container | `[]` | diff --git a/values.yaml b/values.yaml index 4e742d7..54f2537 100644 --- a/values.yaml +++ b/values.yaml @@ -181,7 +181,7 @@ rbac: ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enabled Cyral Sidecar pods' Security Context ## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy -## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.sysctls [array] Set kernel settings using the sysctl interface ## @param podSecurityContext.supplementalGroups Set filesystem extra groups ## @param podSecurityContext.fsGroup Set Cyral Sidecar pod's Security Context fsGroup ## @@ -202,7 +202,6 @@ podSecurityContext: ## @param containerSecurityContext.privileged Set container's Security Context privileged ## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem ## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation -## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped ## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: @@ -213,8 +212,6 @@ containerSecurityContext: privileged: false readOnlyRootFilesystem: false allowPrivilegeEscalation: false - capabilities: - drop: [] seccompProfile: type: "RuntimeDefault" ## Configures the ports Cyral Sidecar listens on