Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop capabilities, enable seccomp and enforce runAsNonRoot #223

Merged
merged 1 commit into from
Jan 20, 2022
Merged

Drop capabilities, enable seccomp and enforce runAsNonRoot #223

merged 1 commit into from
Jan 20, 2022

Conversation

aryan9600
Copy link
Member

Further restricts the SecurityContext that the controller runs under, by enabling the default seccomp profile and dropping all linux capabilities.
This was set at container-level to ensure backwards compatibility with use cases in which sidecars are injected into the source-controller pod
without setting less restrictive settings.
Add a uid and gid for the container to enforce runAsNonRoot and ensure
the use of non root users.

BREAKING CHANGES:

  1. The use of new seccomp API requires Kubernetes 1.19.
  2. the controller container is now executed under 65534:65534 (userid:groupid).
    This change may break deployments that hard-coded the user name 'controller' in their PodSecurityPolicy.

Ref: fluxcd/flux2#2014

Signed-off-by: Sanskar Jaiswal jaiswalsanskar078@gmail.com
Co-authored-by: Paulo Gomes paulo.gomes@weave.works

@aryan9600
Copy link
Member Author

aryan9600 commented Jan 20, 2022
edited
Loading

This was tested on Kubernetes 1.23.1 with restrict "pod security" (below) and it worked as expected.

apiVersion: v1
kind: Namespace
metadata:
  name: image-reflector-system
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: latest

@aryan9600
drop capabilities, enable seccomp and enforce runAsNonRoot
d454180 
Further restricts the SecurityContext that the controller runs under, by enabling the default seccomp profile and dropping all linux capabilities.
This was set at container-level to ensure backwards compatibility with use cases in which sidecars are injected into the source-controller pod
without setting less restrictive settings.
Add a uid and gid for the container to enforce runAsNonRoot and ensure
the use of non root users.

BREAKING CHANGES:
1) The use of new seccomp API requires Kubernetes 1.19.
2) the controller container is now executed under 65534:65534 (userid:groupid).
   This change may break deployments that hard-coded the user name 'controller' in their PodSecurityPolicy.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Co-authored-by: Paulo Gomes <paulo.gomes@weave.works>
pjbgf
pjbgf approved these changes Jan 20, 2022
View reviewed changes
Copy link
Member

@pjbgf pjbgf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice one @aryan9600. 👍

@stefanprodan stefanprodan added the area/ci CI related issues and pull requests label Jan 20, 2022
@stefanprodan stefanprodan merged commit 86d5c29 into fluxcd:main Jan 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

@pjbgf pjbgf pjbgf approved these changes

Assignees
No one assigned
Labels
area/ci CI related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aryan9600 @stefanprodan @pjbgf