From f2693886b3b2cb108ade11d7db868ffc53ed5544 Mon Sep 17 00:00:00 2001 From: Don Khan Date: Mon, 4 Mar 2024 10:42:18 -0500 Subject: [PATCH] Restrict access to the kube-proxy to local pod connections only (#516) * Restrict apex client network access to localhost. * Update image pull policy. * Update cert-persister to latest image. --------- Co-authored-by: Jooseppi Luna --- ...ll-csm-operator.clusterserviceversion.yaml | 4 ++-- .../storage_v1_csm_connectivity_client.yaml | 2 +- .../v1.0.0/statefulset.yaml | 24 +++++-------------- samples/connectivity_client_v100.yaml | 2 +- .../clientconfig/apex/v1.0.0/statefulset.yaml | 24 +++++-------------- 5 files changed, 16 insertions(+), 40 deletions(-) diff --git a/bundle/manifests/dell-csm-operator.clusterserviceversion.yaml b/bundle/manifests/dell-csm-operator.clusterserviceversion.yaml index 7b9251781..4ecb9a6fe 100644 --- a/bundle/manifests/dell-csm-operator.clusterserviceversion.yaml +++ b/bundle/manifests/dell-csm-operator.clusterserviceversion.yaml @@ -36,7 +36,7 @@ metadata: "name": "kubernetes-proxy" }, { - "image": "dellemc/connectivity-cert-persister-k8s:0.7.0", + "image": "dellemc/connectivity-cert-persister-k8s:0.11.0", "imagePullPolicy": "IfNotPresent", "name": "cert-persister" } @@ -3572,7 +3572,7 @@ spec: name: metadataretriever - image: docker.io/dellemc/connectivity-client-docker-k8s:1.2.3 name: dell-connectivity-client - - image: docker.io/dellemc/connectivity-cert-persister-k8s:0.7.0 + - image: docker.io/dellemc/connectivity-cert-persister-k8s:0.11.0 name: cert-persister skips: - dell-csm-operator.v1.4.2 diff --git a/config/samples/storage_v1_csm_connectivity_client.yaml b/config/samples/storage_v1_csm_connectivity_client.yaml index 653ff7de9..b974cdf73 100644 --- a/config/samples/storage_v1_csm_connectivity_client.yaml +++ b/config/samples/storage_v1_csm_connectivity_client.yaml @@ -22,7 +22,7 @@ spec: image: bitnami/kubectl:1.28 imagePullPolicy: IfNotPresent - name: cert-persister - image: dellemc/connectivity-cert-persister-k8s:0.7.0 + image: dellemc/connectivity-cert-persister-k8s:0.11.0 imagePullPolicy: IfNotPresent --- apiVersion: v1 diff --git a/operatorconfig/clientconfig/apexconnectivityclient/v1.0.0/statefulset.yaml b/operatorconfig/clientconfig/apexconnectivityclient/v1.0.0/statefulset.yaml index 8a17457ad..077921e26 100644 --- a/operatorconfig/clientconfig/apexconnectivityclient/v1.0.0/statefulset.yaml +++ b/operatorconfig/clientconfig/apexconnectivityclient/v1.0.0/statefulset.yaml @@ -126,7 +126,7 @@ spec: containers: - name: connectivity-client-docker-k8s image: "" - imagePullPolicy: Always + imagePullPolicy: IfNotPresent args: - "--aggregator" - @@ -208,26 +208,14 @@ spec: - ALL - name: kubernetes-proxy image: "" - imagePullPolicy: Always + imagePullPolicy: IfNotPresent command: [ "kubectl" ] args: - "proxy" - "--port=8001" - - "--address=0.0.0.0" - - "--accept-hosts=^.*$" + - "--address=127.0.0.1" + - "--accept-hosts=^localhost$,^127.0.0.1$" - "--v=5" - ports: - - containerPort: 8001 - livenessProbe: - httpGet: - path: /api/v1 - port: 8001 - scheme: HTTP - initialDelaySeconds: 5 - timeoutSeconds: 2 - periodSeconds: 30 - successThreshold: 1 - failureThreshold: 3 securityContext: readOnlyRootFilesystem: false allowPrivilegeEscalation: false @@ -238,7 +226,7 @@ spec: - ALL - name: cert-persister image: "" - imagePullPolicy: Always + imagePullPolicy: IfNotPresent env: - name: DCM_IDENTITY_LOCATION valueFrom: @@ -259,7 +247,7 @@ spec: initContainers: - name: connectivity-client-init image: "" - imagePullPolicy: Always + imagePullPolicy: IfNotPresent env: - name: DCM_IDENTITY_LOCATION valueFrom: diff --git a/samples/connectivity_client_v100.yaml b/samples/connectivity_client_v100.yaml index 653ff7de9..b974cdf73 100644 --- a/samples/connectivity_client_v100.yaml +++ b/samples/connectivity_client_v100.yaml @@ -22,7 +22,7 @@ spec: image: bitnami/kubectl:1.28 imagePullPolicy: IfNotPresent - name: cert-persister - image: dellemc/connectivity-cert-persister-k8s:0.7.0 + image: dellemc/connectivity-cert-persister-k8s:0.11.0 imagePullPolicy: IfNotPresent --- apiVersion: v1 diff --git a/tests/config/clientconfig/apex/v1.0.0/statefulset.yaml b/tests/config/clientconfig/apex/v1.0.0/statefulset.yaml index 6db9d5b0b..1684fc179 100644 --- a/tests/config/clientconfig/apex/v1.0.0/statefulset.yaml +++ b/tests/config/clientconfig/apex/v1.0.0/statefulset.yaml @@ -125,7 +125,7 @@ spec: securityContext: {} image: "" - imagePullPolicy: Always + imagePullPolicy: IfNotPresent args: - "--aggregator" - @@ -199,29 +199,17 @@ spec: failureThreshold: 3 - name: kubernetes-proxy image: "" - imagePullPolicy: Always + imagePullPolicy: IfNotPresent command: [ "kubectl" ] args: - "proxy" - "--port=8001" - - "--address=0.0.0.0" - - "--accept-hosts=^.*$" + - "--address=127.0.0.1" + - "--accept-hosts=^localhost$,^127.0.0.1$" - "--v=5" - ports: - - containerPort: 8001 - livenessProbe: - httpGet: - path: /api/v1 - port: 8001 - scheme: HTTP - initialDelaySeconds: 5 - timeoutSeconds: 2 - periodSeconds: 30 - successThreshold: 1 - failureThreshold: 3 - name: cert-persister image: "" - imagePullPolicy: Always + imagePullPolicy: IfNotPresent env: - name: DCM_IDENTITY_LOCATION valueFrom: @@ -234,7 +222,7 @@ spec: initContainers: - name: connectivity-client-init image: "" - imagePullPolicy: Always + imagePullPolicy: IfNotPresent env: - name: DCM_IDENTITY_LOCATION valueFrom: