Skip to content

Commit

Permalink
add explicit securitycontexts to controllers
Browse files Browse the repository at this point in the history
Add explicit, secure securityContexts for all managers except CAPD,
which is privileged and for testing purposes. These securityContexts
do not change the configuration, just make it explicit and enforced,
except for the seccompPolicy which changes from Unconfined to
RuntimeDefault. Syscalls filtered by RuntimeDefault policy are 95%
namespaced and require capabilities (which we drop) in the first place,
so no practical change there either.
  • Loading branch information
tuminoid committed Jan 10, 2023
1 parent 281297c commit 9ac1f05
Show file tree
Hide file tree
Showing 5 changed files with 143 additions and 93 deletions.
54 changes: 33 additions & 21 deletions bootstrap/kubeadm/config/manager/manager.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,31 +16,43 @@ spec:
control-plane: controller-manager
spec:
containers:
- command:
- /manager
args:
- "--leader-elect"
- "--metrics-bind-addr=localhost:8080"
- "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}"
- "--bootstrap-token-ttl=${KUBEADM_BOOTSTRAP_TOKEN_TTL:=15m}"
image: controller:latest
name: manager
ports:
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
livenessProbe:
httpGet:
path: /healthz
port: healthz
- command:
- /manager
args:
- "--leader-elect"
- "--metrics-bind-addr=localhost:8080"
- "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}"
- "--bootstrap-token-ttl=${KUBEADM_BOOTSTRAP_TOKEN_TTL:=15m}"
image: controller:latest
name: manager
ports:
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
livenessProbe:
httpGet:
path: /healthz
port: healthz
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsUser: 65532
runAsGroup: 65532
terminationGracePeriodSeconds: 10
serviceAccountName: manager
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
78 changes: 45 additions & 33 deletions config/manager/manager.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,43 +17,55 @@ spec:
control-plane: controller-manager
spec:
containers:
- command:
- /manager
args:
- "--leader-elect"
- "--metrics-bind-addr=localhost:8080"
- "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false},ClusterTopology=${CLUSTER_TOPOLOGY:=false},RuntimeSDK=${EXP_RUNTIME_SDK:=false}"
image: controller:latest
name: manager
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
ports:
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
livenessProbe:
httpGet:
path: /healthz
port: healthz
- command:
- /manager
args:
- "--leader-elect"
- "--metrics-bind-addr=localhost:8080"
- "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false},ClusterTopology=${CLUSTER_TOPOLOGY:=false},RuntimeSDK=${EXP_RUNTIME_SDK:=false}"
image: controller:latest
name: manager
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
ports:
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
livenessProbe:
httpGet:
path: /healthz
port: healthz
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsUser: 65532
runAsGroup: 65532
terminationGracePeriodSeconds: 10
serviceAccountName: manager
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
78 changes: 45 additions & 33 deletions controlplane/kubeadm/config/manager/manager.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,43 +16,55 @@ spec:
control-plane: controller-manager
spec:
containers:
- command:
- /manager
args:
- "--leader-elect"
- "--metrics-bind-addr=localhost:8080"
- "--feature-gates=ClusterTopology=${CLUSTER_TOPOLOGY:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}"
image: controller:latest
name: manager
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
ports:
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
livenessProbe:
httpGet:
path: /healthz
port: healthz
- command:
- /manager
args:
- "--leader-elect"
- "--metrics-bind-addr=localhost:8080"
- "--feature-gates=ClusterTopology=${CLUSTER_TOPOLOGY:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}"
image: controller:latest
name: manager
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
ports:
- containerPort: 9440
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: healthz
livenessProbe:
httpGet:
path: /healthz
port: healthz
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsUser: 65532
runAsGroup: 65532
terminationGracePeriodSeconds: 10
serviceAccountName: manager
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
6 changes: 4 additions & 2 deletions docs/book/src/developer/providers/v1.3-to-v1.4.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,12 @@ maintainers of providers and consumers of our Go API.

## Minimum Go version

* The Go version used by Cluster API is still Go 1.19.x
- The Go version used by Cluster API is still Go 1.19.x

## Dependencies

**Note**: Only the most relevant dependencies are listed, `k8s.io/` and `ginkgo`/`gomega` dependencies in Cluster API are kept in sync with the versions used by `sigs.k8s.io/controller-runtime`.


## Changes by Kind

### Deprecation
Expand All @@ -36,5 +35,8 @@ maintainers of providers and consumers of our Go API.

- `clusterctl upgrade apply` no longer requires a namespace when updating providers. It is now optional and in a future release it will be deprecated. The new syntax is `[namespace/]provider:version`.
- `WatchDeploymentLogs` is changed to `WatchDeploymentLogsByName`, it works same as before. Another function `WatchDeploymentLogsByLabelSelector` is added to stream logs of deployment by label selector.
- Cluster API controllers are now using an explicit security context by default.

### Suggested changes for providers

- Providers should add an explicit security context to their controllers deployment, see [#7831](https://github.com/kubernetes-sigs/cluster-api/pull/7831) for reference.
20 changes: 16 additions & 4 deletions test/extension/config/default/manager.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,26 @@ spec:
app: test-extension-manager
spec:
containers:
- command:
- /manager
image: controller:latest
name: manager
- command:
- /manager
image: controller:latest
name: manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsUser: 65532
runAsGroup: 65532
terminationGracePeriodSeconds: 10
serviceAccountName: manager
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

0 comments on commit 9ac1f05

Please sign in to comment.