From 4e4af3025acb62ba29a776bb14d6225d968e1c2c Mon Sep 17 00:00:00 2001 From: "junior.taeza" Date: Fri, 14 Jul 2023 13:34:26 -0400 Subject: [PATCH] Address Snyk issues --- CHANGELOG.md | 4 ++++ .../templates/test_app_secretless_broker.yaml | 24 +++++++++++++++++++ .../test_app_secrets_provider_k8s.yaml | 17 ++++++++++--- ...est_app_secrets_provider_p2f_injected.yaml | 7 ++++++ .../test_app_secrets_provider_p2f.yaml | 24 +++++++++++++++++++ .../test_app_secrets_provider_p2f.yaml | 12 ++++++++++ .../templates/test-app-summon-sidecar.yaml | 24 +++++++++++++++++++ 7 files changed, 109 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index da404b2a..6b790192 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [0.26.0] - 2023-07-18 +### Security +- Update YAML files to include extra security layers to reduce Snyk vulnerabilities + [cyberark/conjur-authn-k8s-client#523](https://github.com/cyberark/conjur-authn-k8s-client/pull/523) + ### Added - Log level is now configurable using the `LOG_LEVEL` environment variable or `conjur.org/log-level` annotation. The existing `DEBUG` environment variable and `conjur.org/debug-logging` annotation is deprecated and will be removed in a future update. diff --git a/helm/conjur-app-deploy/charts/app-secretless-broker-jwt/templates/test_app_secretless_broker.yaml b/helm/conjur-app-deploy/charts/app-secretless-broker-jwt/templates/test_app_secretless_broker.yaml index 388ff725..8569cbd5 100644 --- a/helm/conjur-app-deploy/charts/app-secretless-broker-jwt/templates/test_app_secretless_broker.yaml +++ b/helm/conjur-app-deploy/charts/app-secretless-broker-jwt/templates/test_app_secretless_broker.yaml @@ -39,6 +39,18 @@ spec: - image: {{ printf "%s:%s" .Values.app.image.repository .Values.app.image.tag }} imagePullPolicy: {{ .Values.app.image.pullPolicy }} name: test-app + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + add: ["NET_ADMIN"] + runAsUser: "10000" + readOnlyRootFilesystem: false + resources: + limits: + cpu: "1" + memory: "2048Mi" ports: - name: http containerPort: 8080 @@ -54,6 +66,18 @@ spec: - image: {{ printf "%s:%s" .Values.secretless.image.repository .Values.secretless.image.tag }} imagePullPolicy: {{ .Values.secretless.image.pullPolicy }} name: secretless + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + add: ["NET_ADMIN"] + runAsUser: "10000" + readOnlyRootFilesystem: false + resources: + limits: + cpu: "1" + memory: "2048Mi" args: ["-f", "/etc/secretless/secretless_config.yaml"] ports: - containerPort: 5432 diff --git a/helm/conjur-app-deploy/charts/app-secrets-provider-k8s-jwt/templates/test_app_secrets_provider_k8s.yaml b/helm/conjur-app-deploy/charts/app-secrets-provider-k8s-jwt/templates/test_app_secrets_provider_k8s.yaml index 3c46feb4..56abd610 100644 --- a/helm/conjur-app-deploy/charts/app-secrets-provider-k8s-jwt/templates/test_app_secrets_provider_k8s.yaml +++ b/helm/conjur-app-deploy/charts/app-secrets-provider-k8s-jwt/templates/test_app_secrets_provider_k8s.yaml @@ -72,6 +72,12 @@ spec: capabilities: drop: - all + runAsUser: "10000" + readOnlyRootFilesystem: false + resources: + limits: + cpu: "1" + memory: "2048Mi" initContainers: - image: {{ printf "%s:%s" .Values.secretsProvider.image.repository .Values.secretsProvider.image.tag }} imagePullPolicy: {{ .Values.secretsProvider.image.pullPolicy }} @@ -107,13 +113,18 @@ spec: imagePullSecrets: - name: dockerpullsecret securityContext: - fsGroup: 65534 - runAsGroup: 65534 - runAsUser: 65534 allowPrivilegeEscalation: false capabilities: drop: - all + fsGroup: 65534 + runAsGroup: 65534 + runAsUser: 65534 + readOnlyRootFilesystem: false + resources: + limits: + cpu: "1" + memory: "2048Mi" {{- end }} volumes: - name: conjur-access-token diff --git a/helm/conjur-app-deploy/charts/app-secrets-provider-p2f-injected/templates/test_app_secrets_provider_p2f_injected.yaml b/helm/conjur-app-deploy/charts/app-secrets-provider-p2f-injected/templates/test_app_secrets_provider_p2f_injected.yaml index a814de6b..5882fd9c 100644 --- a/helm/conjur-app-deploy/charts/app-secrets-provider-p2f-injected/templates/test_app_secrets_provider_p2f_injected.yaml +++ b/helm/conjur-app-deploy/charts/app-secrets-provider-p2f-injected/templates/test_app_secrets_provider_p2f_injected.yaml @@ -78,9 +78,16 @@ spec: timeoutSeconds: 5 securityContext: allowPrivilegeEscalation: false + runAsNonRoot: true capabilities: drop: - all + runAsUser: "10000" + readOnlyRootFilesystem: false + resources: + limits: + cpu: "1" + memory: "2048Mi" {{- if eq .Values.app.platform "kubernetes" }} imagePullSecrets: - name: dockerpullsecret diff --git a/helm/conjur-app-deploy/charts/app-secrets-provider-p2f-jwt/templates/test_app_secrets_provider_p2f.yaml b/helm/conjur-app-deploy/charts/app-secrets-provider-p2f-jwt/templates/test_app_secrets_provider_p2f.yaml index d89951f4..a1e627ba 100644 --- a/helm/conjur-app-deploy/charts/app-secrets-provider-p2f-jwt/templates/test_app_secrets_provider_p2f.yaml +++ b/helm/conjur-app-deploy/charts/app-secrets-provider-p2f-jwt/templates/test_app_secrets_provider_p2f.yaml @@ -61,6 +61,18 @@ spec: - image: {{ printf "%s:%s" .Values.app.image.repository .Values.app.image.tag }} imagePullPolicy: {{ .Values.app.image.pullPolicy }} name: test-app + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + add: ["NET_ADMIN"] + runAsUser: "10000" + readOnlyRootFilesystem: false + resources: + limits: + cpu: "1" + memory: "2048Mi" command: [ "java", "-jar", "/app.jar", {{ printf "--spring.config.location=file:%s/application.yaml" .Values.app.secretsMountPath }} ] ports: - name: http @@ -78,6 +90,18 @@ spec: - image: {{ printf "%s:%s" .Values.secretsProvider.image.repository .Values.secretsProvider.image.tag }} imagePullPolicy: Always name: cyberark-secrets-provider-for-k8s + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + add: ["NET_ADMIN"] + runAsUser: "10000" + readOnlyRootFilesystem: false + resources: + limits: + cpu: "1" + memory: "2048Mi" env: - name: MY_POD_NAMESPACE valueFrom: diff --git a/helm/conjur-app-deploy/charts/app-secrets-provider-p2f/templates/test_app_secrets_provider_p2f.yaml b/helm/conjur-app-deploy/charts/app-secrets-provider-p2f/templates/test_app_secrets_provider_p2f.yaml index f61626c3..b3ea50e1 100644 --- a/helm/conjur-app-deploy/charts/app-secrets-provider-p2f/templates/test_app_secrets_provider_p2f.yaml +++ b/helm/conjur-app-deploy/charts/app-secrets-provider-p2f/templates/test_app_secrets_provider_p2f.yaml @@ -79,6 +79,12 @@ spec: capabilities: drop: - all + runAsUser: "10000" + readOnlyRootFilesystem: false + resources: + limits: + cpu: "1" + memory: "2048Mi" initContainers: - image: {{ printf "%s:%s" .Values.secretsProvider.image.repository .Values.secretsProvider.image.tag }} imagePullPolicy: {{ .Values.secretsProvider.image.pullPolicy }} @@ -109,6 +115,12 @@ spec: capabilities: drop: - all + runAsUser: "10000" + readOnlyRootFilesystem: false + resources: + limits: + cpu: "1" + memory: "2048Mi" {{- if eq .Values.app.platform "kubernetes" }} imagePullSecrets: - name: dockerpullsecret diff --git a/helm/conjur-app-deploy/charts/app-summon-sidecar-jwt/templates/test-app-summon-sidecar.yaml b/helm/conjur-app-deploy/charts/app-summon-sidecar-jwt/templates/test-app-summon-sidecar.yaml index fd943637..34719e7d 100644 --- a/helm/conjur-app-deploy/charts/app-summon-sidecar-jwt/templates/test-app-summon-sidecar.yaml +++ b/helm/conjur-app-deploy/charts/app-summon-sidecar-jwt/templates/test-app-summon-sidecar.yaml @@ -40,6 +40,18 @@ spec: imagePullPolicy: {{ .Values.app.image.pullPolicy }} command: ["summon", "--provider", "summon-conjur", "-f", "/etc/conjur/secrets.yml", "java", "-jar", "/app.jar"] name: test-app + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + add: ["NET_ADMIN"] + runAsUser: "10000" + readOnlyRootFilesystem: false + resources: + limits: + cpu: "1" + memory: "2048Mi" ports: - name: http containerPort: 8080 @@ -65,6 +77,18 @@ spec: - image: {{ printf "%s:%s" .Values.authnClient.image.repository .Values.authnClient.image.tag }} imagePullPolicy: {{ .Values.authnClient.image.pullPolicy }} name: authenticator + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + add: ["NET_ADMIN"] + runAsUser: "10000" + readOnlyRootFilesystem: false + resources: + limits: + cpu: "1" + memory: "2048Mi" env: - name: CONTAINER_MODE value: sidecar