Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chart: Tighten securityContexts and Pod Security Policies. #10491

Merged
merged 25 commits into from
Nov 7, 2023
Merged

Chart: Tighten securityContexts and Pod Security Policies. #10491

merged 25 commits into from
Nov 7, 2023

Conversation

Gacko
Copy link
Member

@Gacko Gacko commented Oct 10, 2023
edited
Loading

What this PR does / why we need it:

This PR tightens the security context settings of all the containers involved in the chart. The single commits contain detailed information about what has been changed and why.

I first of all fixed some minor issues in the values.yaml, improved the documentation and aligned & improved both the helpers and the templating itself, before I actually applied more restrictive default values in the values.yaml and the Pod Security Policies. This brings the chart a big step forward to being compliant with the Pod Security Standards profile Restricted.

I'm aware of Pod Security Policies being deprecated since Kubernetes v1.21.0 and removed in v1.25.0. But since there probably are several users out there still running on Kubernetes v1.24.0 or below, it could make sense to provide a chart compatible and well prepared for moving to Pod Security Standards in Kubernetes v1.25.0 and above.

This is why I also put some effort into the still existing Pod Security Policies. I did not add any new resources related to them, only refactored the templating and tightened their default values, and so they still can easily be removed once support for v1.24.0 and below gets dropped.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • CVE Report (Scanner found CVE and adding report)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation only

Which issue/s this PR fixes

How Has This Been Tested?

I spun up a Kubernetes cluster and tested the changes made in each commit separately and manually, including different values for also testing edge cases and special conditions.

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I've read the CONTRIBUTION guide
  • I have added unit and/or e2e tests to cover my changes.
  • All new and existing tests passed.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 10, 2023
@netlify
Copy link

netlify bot commented Oct 10, 2023
edited
Loading

Deploy Preview for kubernetes-ingress-nginx canceled.

Name Link
🔨 Latest commit 3635927
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-ingress-nginx/deploys/6549d82f08b5490008c20155

@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Oct 10, 2023
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Oct 10, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @Gacko. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-priority size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Oct 10, 2023
@k8s-ci-robot k8s-ci-robot requested a review from cpanato October 10, 2023 14:09
@k8s-ci-robot k8s-ci-robot added the area/helm Issues or PRs related to helm charts label Oct 10, 2023
@k8s-ci-robot k8s-ci-robot requested a review from strongjz October 10, 2023 14:09
@Gacko Gacko force-pushed the pull/10 branch 12 times, most recently from 2f8c6da to 65f555c Compare October 11, 2023 14:56
@Gacko Gacko marked this pull request as ready for review October 11, 2023 14:59
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 11, 2023
@Gacko Gacko force-pushed the pull/10 branch 3 times, most recently from 6b156b0 to f9e9710 Compare October 12, 2023 12:33
Gacko added 20 commits November 7, 2023 07:24
@Gacko
Helpers: Move ingress-nginx.defaultBackend.fullname.
47ab493
@Gacko
Helpers: Add ingress-nginx.defaultBackend.containerSecurityContext.
8d056bf 
Extracts the default backend `securityContext` into a template, as for the controller.
@Gacko
Controller: Fix indentation of controller.podSecurityContext & `con…
918d1d4 
…troller.sysctls`.
@Gacko
Controller: Improve controller.extraModules & `controller.opentelem…
ae18981 
…etry`.

- Add `controller.extraModules.distroless` & `controller.extraModules.resources`.
- Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`.
- Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`.
- Remove redundant whitespaces.
@Gacko
Controller/PSP: Align indentation.
2315263
@Gacko
Controller/PSP: Remove quotes.
564a713
@Gacko
Controller/PSP: Improve comments.
d649900
@Gacko
Controller/PSP: Reorder fields.
94889ba 
See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy.
@Gacko
Admission Webhooks: Fix indentation of `controller.admissionWebhooks.…
c4f144f 
…patch.securityContext`.
@Gacko
Admission Webhooks/PSP: Align indentation.
e3ec756
@Gacko
Admission Webhooks/PSP: Reorder fields.
27f8af2
@Gacko
Admission Webhooks/PSP: Align condition.
c0e1120
@Gacko
Admission Webhooks/ClusterRole: Align PSP rule.
3d4487a
@Gacko
Default Backend/PSP: Align indentation.
fb116e8
@Gacko
Default Backend/PSP: Reorder fields.
c19e369 
See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy.
@Gacko
Values: Tighten controller.image.
310c48a 
Due to recent changes, the controller image can be run without privilege escalation:

- kubernetes#8499
- kubernetes#7449
@Gacko
Values: Tighten controller.extraModules.containerSecurityContext.
84c3fb3
@Gacko
Values: Tighten controller.opentelemetry.containerSecurityContext.
c5f102e
@Gacko
Values: Tighten controller.admissionWebhooks.*.securityContext.
5afbe6a 
Moves the pod `securityContext` to the containers to not interfere with injected containers.
@Gacko
Values: Tighten defaultBackend.image.
3635927
@rikatz
Copy link
Contributor

rikatz commented Nov 7, 2023

/hold cancel
/lgtm
Thank you!

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Nov 7, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Gacko, rikatz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 8b026f4 into kubernetes:main Nov 7, 2023
38 checks passed
@Gacko Gacko deleted the pull/10 branch November 7, 2023 21:42
@strongjz
Copy link
Member

/cherry-pick release-1.9

@k8s-infra-cherrypick-robot
Copy link
Contributor

@strongjz: #10491 failed to apply on top of branch "release-1.9":

Applying: Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`.
Using index info to reconstruct a base tree...
M	charts/ingress-nginx/README.md
M	charts/ingress-nginx/values.yaml
Falling back to patching base and 3-way merge...
Auto-merging charts/ingress-nginx/values.yaml
Auto-merging charts/ingress-nginx/README.md
Applying: Values: Add missing `controller.containerSecurityContext`.
Applying: Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`.
Applying: Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`.
Using index info to reconstruct a base tree...
M	charts/ingress-nginx/templates/_helpers.tpl
M	charts/ingress-nginx/templates/controller-daemonset.yaml
M	charts/ingress-nginx/templates/controller-deployment.yaml
Falling back to patching base and 3-way merge...
Auto-merging charts/ingress-nginx/templates/controller-deployment.yaml
Auto-merging charts/ingress-nginx/templates/controller-daemonset.yaml
Auto-merging charts/ingress-nginx/templates/_helpers.tpl
Applying: Helpers: Improve `extraModules`.
Using index info to reconstruct a base tree...
M	charts/ingress-nginx/templates/_helpers.tpl
Falling back to patching base and 3-way merge...
Auto-merging charts/ingress-nginx/templates/_helpers.tpl
CONFLICT (content): Merge conflict in charts/ingress-nginx/templates/_helpers.tpl
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0005 Helpers: Improve `extraModules`.
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.9

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@Gacko Gacko mentioned this pull request Jan 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpanato cpanato Awaiting requested review from cpanato

@strongjz strongjz Awaiting requested review from strongjz

Assignees

@rikatz rikatz

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/helm Issues or PRs related to helm charts cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Gacko @k8s-ci-robot @rikatz @strongjz @k8s-infra-cherrypick-robot