Update eventlistener podSeurityContext to adhere to restricted pod se…

…curity standards Alter podSecurityContext to include seccompProfile, runAsUser, runAsGroup and fsGroup when set-security-context is set. As podSecurityContext only included runAsNonRoot, which could cause injected sidecars to miss some required restricted pod security standards securityContext fields.
tektoncd · Aug 19, 2024 · e4cd11d · e4cd11d
1 parent e5fdac7
commit e4cd11d
Show file tree

Hide file tree

Showing 9 changed files with 199 additions and 46 deletions.
diff --git a/config/config-defaults-triggers.yaml b/config/config-defaults-triggers.yaml
@@ -42,4 +42,5 @@ data:
     default-service-account: "default"
     default-run-as-user: "65532"
     default-run-as-group: "65532"
+    default-fs-group: "65532"
     default-run-as-non-root: "true" # allowed values are true and false
diff --git a/pkg/apis/config/default.go b/pkg/apis/config/default.go
@@ -26,12 +26,14 @@ import (
 
 const (
 	defaultServiceAccountKey   = "default-service-account"
-	defaultRunAsUserKey        = "default-run-as-user"
-	defaultRunAsGroupKey       = "default-run-as-group"
+	DefaultRunAsUserKey        = "default-run-as-user"
+	DefaultRunAsGroupKey       = "default-run-as-group"
+	DefaultFSGroupKey          = "default-fs-group"
 	defaultRunAsNonRootKey     = "default-run-as-non-root"
 	DefaultServiceAccountValue = "default"
 	defaultRunAsUserValue      = 65532
 	defaultRunAsGroupValue     = 65532
+	defaultFsGroupValue        = 65532
 	defaultRunAsNonRootValue   = true
 )
 
@@ -41,11 +43,13 @@ type Defaults struct {
 	DefaultServiceAccount string
 	DefaultRunAsUser      int64
 	DefaultRunAsGroup     int64
+	DefaultFSGroup        int64
 	DefaultRunAsNonRoot   bool
-	// These two fields are used to decide whether to configure
-	// runAsUser and runAsGroup within a Security Context Constraint (SCC).
+	// These three fields are used to decide whether to configure
+	// runAsUser, runAsGroup and fsGroup within a Security Context Constraint (SCC).
 	IsDefaultRunAsUserEmpty  bool
 	IsDefaultRunAsGroupEmpty bool
+	IsDefaultFsGroupEmpty    bool
 }
 
 // GetDefaultsConfigName returns the name of the configmap containing all
@@ -70,6 +74,7 @@ func (cfg *Defaults) Equals(other *Defaults) bool {
 	return other.DefaultServiceAccount == cfg.DefaultServiceAccount &&
 		other.DefaultRunAsUser == cfg.DefaultRunAsUser &&
 		other.DefaultRunAsGroup == cfg.DefaultRunAsGroup &&
+		other.DefaultFSGroup == cfg.DefaultFSGroup &&
 		other.DefaultRunAsNonRoot == cfg.DefaultRunAsNonRoot
 }
 
@@ -79,14 +84,15 @@ func NewDefaultsFromMap(cfgMap map[string]string) (*Defaults, error) {
 		DefaultServiceAccount: DefaultServiceAccountValue,
 		DefaultRunAsUser:      defaultRunAsUserValue,
 		DefaultRunAsGroup:     defaultRunAsGroupValue,
+		DefaultFSGroup:        defaultFsGroupValue,
 		DefaultRunAsNonRoot:   defaultRunAsNonRootValue,
 	}
 
 	if defaultServiceAccount, ok := cfgMap[defaultServiceAccountKey]; ok {
 		tc.DefaultServiceAccount = defaultServiceAccount
 	}
 
-	if defaultRunAsUser, ok := cfgMap[defaultRunAsUserKey]; ok {
+	if defaultRunAsUser, ok := cfgMap[DefaultRunAsUserKey]; ok {
 		if defaultRunAsUser != "" {
 			runAsUser, err := strconv.ParseInt(defaultRunAsUser, 10, 0)
 			if err != nil {
@@ -99,7 +105,7 @@ func NewDefaultsFromMap(cfgMap map[string]string) (*Defaults, error) {
 		}
 	}
 
-	if defaultRunAsGroup, ok := cfgMap[defaultRunAsGroupKey]; ok {
+	if defaultRunAsGroup, ok := cfgMap[DefaultRunAsGroupKey]; ok {
 		if defaultRunAsGroup != "" {
 			runAsGroup, err := strconv.ParseInt(defaultRunAsGroup, 10, 0)
 			if err != nil {
@@ -112,6 +118,19 @@ func NewDefaultsFromMap(cfgMap map[string]string) (*Defaults, error) {
 		}
 	}
 
+	if defaultFsGroup, ok := cfgMap[DefaultFSGroupKey]; ok {
+		if defaultFsGroup != "" {
+			fsGroup, err := strconv.ParseInt(defaultFsGroup, 10, 0)
+			if err != nil {
+				return nil, fmt.Errorf("failed parsing fsGroup config %q", defaultFsGroup)
+			}
+			tc.DefaultFSGroup = fsGroup
+		} else {
+			// if fsGroup is "" don't set fsGroup in SCC
+			tc.IsDefaultFsGroupEmpty = true
+		}
+	}
+
 	if defaultRunAsNonRoot, ok := cfgMap[defaultRunAsNonRootKey]; ok {
 		if defaultRunAsNonRoot != "" {
 			runAsNonRoot, err := strconv.ParseBool(defaultRunAsNonRoot)

diff --git a/pkg/apis/config/default_test.go b/pkg/apis/config/default_test.go
@@ -38,6 +38,7 @@ func TestNewDefaultsFromConfigMap(t *testing.T) {
 				DefaultServiceAccount: "default",
 				DefaultRunAsUser:      65532,
 				DefaultRunAsGroup:     65532,
+				DefaultFSGroup:        65532,
 				DefaultRunAsNonRoot:   true,
 			},
 			fileName: config.GetDefaultsConfigName(),
@@ -59,6 +60,7 @@ func TestNewDefaultsFromEmptyConfigMap(t *testing.T) {
 		DefaultServiceAccount: "default",
 		DefaultRunAsUser:      65532,
 		DefaultRunAsGroup:     65532,
+		DefaultFSGroup:        65532,
 		DefaultRunAsNonRoot:   true,
 	}
 	verifyConfigFileWithExpectedConfig(t, DefaultsConfigEmptyName, expectedConfig)
@@ -70,9 +72,11 @@ func TestNewDefaultsFromConfigMapWithEmptyVal(t *testing.T) {
 		DefaultServiceAccount:    "default",
 		DefaultRunAsUser:         65532,
 		DefaultRunAsGroup:        65532,
+		DefaultFSGroup:           65532,
 		DefaultRunAsNonRoot:      true, // when empty value set from configmap we set back to default value for runAsNonRoot
 		IsDefaultRunAsUserEmpty:  true,
 		IsDefaultRunAsGroupEmpty: true,
+		IsDefaultFsGroupEmpty:    true,
 	}
 	verifyConfigFileWithExpectedConfig(t, DefaultsConfigEmptyVal, expectedConfig)
 }

diff --git a/pkg/apis/config/testdata/config-defaults-empty.yaml b/pkg/apis/config/testdata/config-defaults-empty.yaml
@@ -39,4 +39,5 @@ data:
     default-service-accounts: "default"
     default-run-as-user: "65532"
     default-run-as-group: "65532"
+    default-fs-group: "65532"
     default-run-as-non-root: "false"
diff --git a/pkg/apis/config/testdata/config-defaults-triggers-empty-val.yaml b/pkg/apis/config/testdata/config-defaults-triggers-empty-val.yaml
@@ -21,4 +21,5 @@ data:
   default-service-account: "default"
   default-run-as-user: ""
   default-run-as-group: ""
+  default-fs-group: ""
   default-run-as-non-root: ""
diff --git a/pkg/apis/config/testdata/config-defaults-triggers.yaml b/pkg/apis/config/testdata/config-defaults-triggers.yaml
@@ -21,4 +21,5 @@ data:
   default-service-account: "default"
   default-run-as-user: "65532"
   default-run-as-group: "65532"
+  default-fs-group: "65532"
   default-run-as-non-root: "true"
diff --git a/pkg/reconciler/eventlistener/eventlistener_test.go b/pkg/reconciler/eventlistener/eventlistener_test.go
@@ -292,6 +292,12 @@ func makeDeployment(ops ...func(d *appsv1.Deployment)) *appsv1.Deployment {
 					}},
 					SecurityContext: &corev1.PodSecurityContext{
 						RunAsNonRoot: ptr.Bool(true),
+						RunAsUser:    ptr.Int64(65532),
+						RunAsGroup:   ptr.Int64(65532),
+						FSGroup:      ptr.Int64(65532),
+						SeccompProfile: &corev1.SeccompProfile{
+							Type: corev1.SeccompProfileTypeRuntimeDefault,
+						},
 					},
 				},
 			},
@@ -900,6 +906,12 @@ func TestReconcile(t *testing.T) {
 	deploymentMissingReadOnlyRootFilesystem := makeDeployment(func(d *appsv1.Deployment) {
 		d.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{
 			RunAsNonRoot: ptr.Bool(true),
+			RunAsUser:    ptr.Int64(65532),
+			RunAsGroup:   ptr.Int64(65532),
+			FSGroup:      ptr.Int64(65532),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: corev1.SeccompProfileTypeRuntimeDefault,
+			},
 		}
 		d.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
 			AllowPrivilegeEscalation: ptr.Bool(false),
@@ -923,6 +935,12 @@ func TestReconcile(t *testing.T) {
 	deploymentWithSecurityContext := makeDeployment(func(d *appsv1.Deployment) {
 		d.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{
 			RunAsNonRoot: ptr.Bool(true),
+			RunAsUser:    ptr.Int64(65532),
+			RunAsGroup:   ptr.Int64(65532),
+			FSGroup:      ptr.Int64(65532),
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: corev1.SeccompProfileTypeRuntimeDefault,
+			},
 		}
 		d.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
 			AllowPrivilegeEscalation: ptr.Bool(false),

diff --git a/pkg/reconciler/eventlistener/resources/deployment.go b/pkg/reconciler/eventlistener/resources/deployment.go
@@ -37,11 +37,31 @@ const (
 )
 
 var (
-	strongerSecurityPolicy = corev1.PodSecurityContext{
+	baseSecurityPolicy = corev1.PodSecurityContext{
 		RunAsNonRoot: ptr.Bool(true),
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
 	}
 )
 
+func getStrongerSecurityPolicy(cfg *config.Config) corev1.PodSecurityContext {
+	securityContext := baseSecurityPolicy
+	if !cfg.Defaults.IsDefaultRunAsUserEmpty {
+		securityContext.RunAsUser = ptr.Int64(cfg.Defaults.DefaultRunAsUser)
+	}
+
+	if !cfg.Defaults.IsDefaultRunAsGroupEmpty {
+		securityContext.RunAsGroup = ptr.Int64(cfg.Defaults.DefaultRunAsGroup)
+	}
+
+	if !cfg.Defaults.IsDefaultFsGroupEmpty {
+		securityContext.FSGroup = ptr.Int64(cfg.Defaults.DefaultFSGroup)
+	}
+
+	return securityContext
+}
+
 func MakeDeployment(ctx context.Context, el *v1beta1.EventListener, configAcc reconcilersource.ConfigAccessor, c Config, cfg *config.Config) (*appsv1.Deployment, error) {
 	opt, err := addDeploymentBits(el, c)
 	if err != nil {
@@ -101,7 +121,7 @@ func MakeDeployment(ctx context.Context, el *v1beta1.EventListener, configAcc re
 
 	var securityContext corev1.PodSecurityContext
 	if *c.SetSecurityContext {
-		securityContext = strongerSecurityPolicy
+		securityContext = getStrongerSecurityPolicy(cfg)
 	}
 
 	return &appsv1.Deployment{