Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(trait): enforce Pod and Container security context #5461

Merged
merged 3 commits into from
May 8, 2024
Merged

feat(trait): enforce Pod and Container security context #5461

merged 3 commits into from
May 8, 2024

Conversation

squakez
Copy link
Contributor

@squakez squakez commented May 7, 2024

This PR introduce a default value for both Pod and Container Security Context in order to strengthen the security on the cluster and avoid possible privilege escalations. Note that we still must set runAsNonRoot value as false by default as we are building container to run with root user. We will work on a follow up issue to remove such a constraint and set this default as true when we are ready.

The resulting Pod executed (whichever is the controller strategy) will be like the following:

spec:
  containers:
  - args:
    - echo exec java -cp ...
    image: 10.100.107.57/default/camel-k-kit-costpl3m17ss73c14n40@sha256:42965134843fe61db6ac1ebf965d28f33a22b5159e10c48ed64f112e34b78442
    imagePullPolicy: IfNotPresent
    name: integration
    ...
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      runAsNonRoot: false
      seccompProfile:
        type: RuntimeDefault
...
  securityContext:
    runAsNonRoot: false
    seccompProfile:
      type: RuntimeDefault
  serviceAccount: default
...

The default configuration is enriched automatically in Openshift cluster which are already enforcing these policies with the addition of a default runAsUser value.

Release Note

feat(trait): Pod and Container security context

@squakez squakez added the kind/feature New feature or request label May 7, 2024
@squakez squakez linked an issue May 7, 2024 that may be closed by this pull request
Pod SecurityContext default secure settings #5287
Closed
oscerd
oscerd approved these changes May 7, 2024
View reviewed changes
Copy link
Contributor

@oscerd oscerd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this, this is super important.

@squakez squakez mentioned this pull request May 7, 2024
Open
@squakez
feat(trait): Pod security context
cef308d 
Added a trait to set default Pod security context or let the user customize

Closes apache#5287
@squakez
feat(trait): disable PodSecurityContext on KnativeService
f8a1477 
According to https://knative.dev/docs/serving/configuration/feature-flags/#kubernetes-security-context it can be dangerous because "`PodSecurityContext` properties can affect non-user sidecar containers that come from Knative or your service mesh."
@squakez
Copy link
Contributor Author

squakez commented May 8, 2024

Checks failure due to #5459 and #5474

@squakez squakez merged commit 3c0fc0d into apache:main May 8, 2024
14 of 15 checks passed
@squakez squakez deleted the feat/5287 branch May 8, 2024 07:47
@squakez squakez mentioned this pull request May 16, 2024
Closed
@squakez squakez mentioned this pull request May 29, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oscerd oscerd oscerd approved these changes

Assignees
No one assigned
Labels
kind/feature New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Pod SecurityContext default secure settings
2 participants
@squakez @oscerd