From e5b2ccb8a765447b214990f8180ee4db50a4ba9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20B=C5=82aszczyk?= Date: Tue, 12 Dec 2023 12:53:19 +0100 Subject: [PATCH] feat: expand default secContext (#658) --- docs/helm/kratos.md | 4 ++ hacks/values/kratos-selfservice-ui-node.yaml | 3 + .../hydra-maester/templates/deployment.yaml | 4 ++ helm/charts/hydra-maester/values.yaml | 19 ++++++- helm/charts/hydra/values.yaml | 16 +++++- .../keto/templates/deployment-watcher.yaml | 2 + helm/charts/keto/templates/deployment.yaml | 7 +-- helm/charts/keto/templates/job-migration.yaml | 4 +- helm/charts/keto/values.yaml | 19 ++++++- .../templates/_helpers.tpl | 11 ++++ .../templates/deployment.yaml | 22 +++++-- .../templates/secret.yaml | 20 +++++++ .../kratos-selfservice-ui-node/values.yaml | 45 +++++++++++++-- .../kratos/templates/cleanup-cron-job.yaml | 4 +- .../kratos/templates/deployment-kratos.yaml | 4 +- .../kratos/templates/deployment-watcher.yaml | 4 ++ .../kratos/templates/statefulset-mail.yaml | 4 ++ helm/charts/kratos/values.yaml | 57 +++++++------------ .../templates/deployment.yaml | 9 ++- helm/charts/oathkeeper-maester/values.yaml | 39 +++++++++---- .../templates/deployment-controller.yaml | 8 ++- .../templates/deployment-sidecar.yaml | 16 ++++-- helm/charts/oathkeeper/values.yaml | 39 +++++++++---- 23 files changed, 266 insertions(+), 94 deletions(-) create mode 100644 helm/charts/kratos-selfservice-ui-node/templates/secret.yaml diff --git a/docs/helm/kratos.md b/docs/helm/kratos.md index e2a61d3a0d..ed2c3d8030 100644 --- a/docs/helm/kratos.md +++ b/docs/helm/kratos.md @@ -158,6 +158,10 @@ There are three options to provide identity schemas: Note: You are free to name `` and `` whatever you want. +> **Important:** Those code snippets are known to be smetimes rendered +> incorrectly by github-pages. Please always refer to the source files in the +> repostiory when in doubt. + 1. Write json to `kratos.identitySchemas`: ```yaml diff --git a/hacks/values/kratos-selfservice-ui-node.yaml b/hacks/values/kratos-selfservice-ui-node.yaml index 3a35694dcf..14c1c4e07a 100644 --- a/hacks/values/kratos-selfservice-ui-node.yaml +++ b/hacks/values/kratos-selfservice-ui-node.yaml @@ -20,3 +20,6 @@ test: busybox: repository: docker.io/library/busybox tag: 1.36 + +config: + csrfCookieName: "some-random-cookie-name" diff --git a/helm/charts/hydra-maester/templates/deployment.yaml b/helm/charts/hydra-maester/templates/deployment.yaml index d747b1d200..59551dc83e 100644 --- a/helm/charts/hydra-maester/templates/deployment.yaml +++ b/helm/charts/hydra-maester/templates/deployment.yaml @@ -112,3 +112,7 @@ spec: dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.deployment.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/helm/charts/hydra-maester/values.yaml b/helm/charts/hydra-maester/values.yaml index 3fae9fc4d4..02e9fe997d 100644 --- a/helm/charts/hydra-maester/values.yaml +++ b/helm/charts/hydra-maester/values.yaml @@ -65,7 +65,19 @@ deployment: # mountPath: /etc/secrets/my-secret # readOnly: true - # -- Default security context + ## -- pod securityContext + podSecurityContext: + fsGroupChangePolicy: "OnRootMismatch" + runAsNonRoot: true + runAsUser: 65534 + fsGroup: 65534 + runAsGroup: 65534 + seccompProfile: + type: RuntimeDefault + sysctls: [] + supplementalGroups: [] + + ## -- container securityContext securityContext: capabilities: drop: @@ -74,9 +86,12 @@ deployment: type: RuntimeDefault readOnlyRootFilesystem: true runAsNonRoot: true - runAsUser: 1000 + runAsUser: 65534 + runAsGroup: 65534 allowPrivilegeEscalation: false privileged: false + seLinuxOptions: + level: "s0:c123,c456" # -- Node labels for pod assignment. nodeSelector: {} diff --git a/helm/charts/hydra/values.yaml b/helm/charts/hydra/values.yaml index 62c579806a..99d826c122 100644 --- a/helm/charts/hydra/values.yaml +++ b/helm/charts/hydra/values.yaml @@ -198,7 +198,16 @@ deployment: initContainerSecurityContext: {} ## -- pod securityContext for hydra & migration init - podSecurityContext: {} + podSecurityContext: + fsGroupChangePolicy: "OnRootMismatch" + runAsNonRoot: true + runAsUser: 65534 + fsGroup: 65534 + runAsGroup: 65534 + seccompProfile: + type: RuntimeDefault + sysctls: [] + supplementalGroups: [] ## -- container securityContext for hydra & migration init securityContext: @@ -209,9 +218,12 @@ deployment: type: RuntimeDefault readOnlyRootFilesystem: true runAsNonRoot: true - runAsUser: 100 + runAsUser: 65534 + runAsGroup: 65534 allowPrivilegeEscalation: false privileged: false + seLinuxOptions: + level: "s0:c123,c456" lifecycle: {} diff --git a/helm/charts/keto/templates/deployment-watcher.yaml b/helm/charts/keto/templates/deployment-watcher.yaml index 94282fc91a..0526d9a0b4 100644 --- a/helm/charts/keto/templates/deployment-watcher.yaml +++ b/helm/charts/keto/templates/deployment-watcher.yaml @@ -40,6 +40,8 @@ spec: spec: automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }} serviceAccountName: {{ include "keto.serviceAccountName" . }}-watcher + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: watcher {{- if .Values.securityContext }} diff --git a/helm/charts/keto/templates/deployment.yaml b/helm/charts/keto/templates/deployment.yaml index 831ef7bb85..191484cbda 100644 --- a/helm/charts/keto/templates/deployment.yaml +++ b/helm/charts/keto/templates/deployment.yaml @@ -1,5 +1,4 @@ {{- $podAnnotations := ternary .Values.deployment.podAnnotations .Values.podAnnotations (not (empty .Values.deployment.podAnnotations )) -}} -{{- $podSecurityContext := ternary .Values.deployment.podSecurityContext .Values.podSecurityContext (not (empty .Values.deployment.podSecurityContext )) -}} {{- $automountServiceAccountToken := ternary .Values.deployment.automountServiceAccountToken .Values.automountServiceAccountToken (not (empty .Values.deployment.automountServiceAccountToken )) -}} {{- $livenessProbe := ternary .Values.deployment.livenessProbe .Values.livenessProbe (not (empty .Values.deployment.livenessProbe )) -}} {{- $readinessProbe := ternary .Values.deployment.readinessProbe .Values.readinessProbe (not (empty .Values.deployment.readinessProbe )) -}} @@ -105,12 +104,12 @@ spec: serviceAccountName: {{ include "keto.serviceAccountName" . }} automountServiceAccountToken: {{ $automountServiceAccountToken }} securityContext: - {{- toYaml $podSecurityContext | nindent 8 }} + {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }} - {{- if .Values.securityContext }} + {{- with .Values.securityContext }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml . | nindent 12 }} {{- end }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} diff --git a/helm/charts/keto/templates/job-migration.yaml b/helm/charts/keto/templates/job-migration.yaml index 8c94fe603a..8b701c3b36 100644 --- a/helm/charts/keto/templates/job-migration.yaml +++ b/helm/charts/keto/templates/job-migration.yaml @@ -48,6 +48,8 @@ spec: {{- end }} serviceAccountName: {{ include "keto.job.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.job.automountServiceAccountToken }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }}-automigrate image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -63,7 +65,7 @@ spec: args: [ "migrate", "up", "-y", "--config", "/etc/config/keto.yaml" ] {{- end }} {{- if .Values.job.lifecycle }} -{{ tpl .Values.job.lifecycle . | indent 8 }} + {{- tpl .Values.job.lifecycle . | nindent 8 }} {{- end }} volumeMounts: - name: {{ include "keto.name" . }}-config-volume diff --git a/helm/charts/keto/values.yaml b/helm/charts/keto/values.yaml index 84c10a697d..7d2233855f 100644 --- a/helm/charts/keto/values.yaml +++ b/helm/charts/keto/values.yaml @@ -30,7 +30,19 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: "" -# -- Default security context configuration +## -- pod securityContext for hydra & migration init +podSecurityContext: + fsGroupChangePolicy: "OnRootMismatch" + runAsNonRoot: true + runAsUser: 65534 + fsGroup: 65534 + runAsGroup: 65534 + seccompProfile: + type: RuntimeDefault + sysctls: [] + supplementalGroups: [] + +## -- container securityContext for hydra & migration init securityContext: capabilities: drop: @@ -39,9 +51,12 @@ securityContext: type: RuntimeDefault readOnlyRootFilesystem: true runAsNonRoot: true - runAsUser: 100 + runAsUser: 65534 + runAsGroup: 65534 allowPrivilegeEscalation: false privileged: false + seLinuxOptions: + level: "s0:c123,c456" # -- Values for initialization job job: diff --git a/helm/charts/kratos-selfservice-ui-node/templates/_helpers.tpl b/helm/charts/kratos-selfservice-ui-node/templates/_helpers.tpl index d9ca839cf2..d650cd8985 100644 --- a/helm/charts/kratos-selfservice-ui-node/templates/_helpers.tpl +++ b/helm/charts/kratos-selfservice-ui-node/templates/_helpers.tpl @@ -43,3 +43,14 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} + +{{/* +Create a secret name which can be overridden. +*/}} +{{- define "kratos-selfservice-ui-node.secretname" -}} +{{- if .Values.secret.nameOverride -}} +{{- .Values.secret.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{ include "kratos-selfservice-ui-node.fullname" . }} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/helm/charts/kratos-selfservice-ui-node/templates/deployment.yaml b/helm/charts/kratos-selfservice-ui-node/templates/deployment.yaml index 7983f9b1c2..3e20627d9d 100644 --- a/helm/charts/kratos-selfservice-ui-node/templates/deployment.yaml +++ b/helm/charts/kratos-selfservice-ui-node/templates/deployment.yaml @@ -6,7 +6,7 @@ metadata: namespace: {{ .Release.Namespace }} {{- end }} labels: -{{ include "kratos-selfservice-ui-node.labels" . | indent 4 }} + {{- include "kratos-selfservice-ui-node.labels" . | nindent 4 }} {{- with .Values.deployment.labels }} {{- toYaml . | nindent 4 }} {{- end }} @@ -24,7 +24,7 @@ spec: template: metadata: labels: -{{ include "kratos-selfservice-ui-node.labels" . | indent 8 }} + {{- include "kratos-selfservice-ui-node.labels" . | nindent 8 }} {{- with .Values.deployment.labels }} {{- toYaml . | nindent 8 }} {{- end }} @@ -40,7 +40,7 @@ spec: automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }} {{- with .Values.deployment.extraVolumes }} volumes: -{{ toYaml . | indent 6}} + {{- toYaml . | nindent 6 }} {{- end }} containers: - name: {{ .Chart.Name }} @@ -61,8 +61,20 @@ spec: value: {{ .Values.kratosAdminUrl | quote }} - name: SECURITY_MODE value: {{ .Values.securityMode | quote }} + - name: COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ include "kratos-selfservice-ui-node.secretname" . }} + key: secretsCookie + - name: CSRF_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ include "kratos-selfservice-ui-node.secretname" . }} + key: secretsCSRFCookie + - name: CSRF_COOKIE_NAME + value: {{ .Values.config.csrfCookieName | quote }} {{- if .Values.deployment.extraEnv }} -{{ toYaml .Values.deployment.extraEnv | indent 10 }} + {{- toYaml .Values.deployment.extraEnv | nindent 10 }} {{- end }} {{- with .Values.deployment.extraVolumeMounts }} volumeMounts: @@ -106,3 +118,5 @@ spec: dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} diff --git a/helm/charts/kratos-selfservice-ui-node/templates/secret.yaml b/helm/charts/kratos-selfservice-ui-node/templates/secret.yaml new file mode 100644 index 0000000000..f230759b1b --- /dev/null +++ b/helm/charts/kratos-selfservice-ui-node/templates/secret.yaml @@ -0,0 +1,20 @@ +{{- if .Values.secret.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kratos-selfservice-ui-node.secretname" . }} + {{- if .Release.Namespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "kratos-selfservice-ui-node.labels" . | nindent 4 }} + annotations: + {{- with .Values.secret.secretAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +type: Opaque +data: + # Generate a random secret if the user doesn't give one. User given secret has priority + secretsCookie: {{ ( .Values.config.secrets.cookie | default ( randAlphaNum 32 )) | required "Value config.secrets.cookie can not be empty!" | b64enc | quote }} + secretsCSRFCookie: {{ ( .Values.config.secrets.csrfCookie | default ( randAlphaNum 32 )) | required "Value config.secrets.csrfCookie can not be empty!" | b64enc | quote }} +{{- end }} diff --git a/helm/charts/kratos-selfservice-ui-node/values.yaml b/helm/charts/kratos-selfservice-ui-node/values.yaml index 9c5ff4fa0e..6a9ea8000d 100644 --- a/helm/charts/kratos-selfservice-ui-node/values.yaml +++ b/helm/charts/kratos-selfservice-ui-node/values.yaml @@ -11,13 +11,18 @@ image: # SELFSERVICE image repository: oryd/kratos-selfservice-ui-node # -- ORY KRATOS VERSION - tag: "v0.13.0-4" + tag: "v0.13.0-20" pullPolicy: IfNotPresent imagePullSecrets: [] nameOverride: "" fullnameOverride: "" +# -- Application config +config: + csrfCookieName: "" + secrets: {} + # -- Service configuration service: type: ClusterIP @@ -27,6 +32,23 @@ service: # -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) name: http +secret: + # -- switch to false to prevent creating the secret + enabled: true + # -- Provide custom name of existing secret, or custom name of secret to be created + nameOverride: "" + # nameOverride: "myCustomSecret" + # -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified. + secretAnnotations: + # Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade + # pre-upgrade is needed to upgrade from 0.7.0 to newer. Can be deleted afterwards. + helm.sh/hook-weight: "0" + helm.sh/hook: "pre-install, pre-upgrade" + helm.sh/hook-delete-policy: "before-hook-creation" + helm.sh/resource-policy: "keep" + # -- switch to false to prevent checksum annotations being maintained and propogated to the pods + hashSumEnabled: true + # -- Ingress configration ingress: enabled: false @@ -45,18 +67,33 @@ ingress: # hosts: # - chart-example.local -# -- Deployment level securityContext +# -- Container level security context securityContext: capabilities: drop: - ALL - seccompProfile: - type: RuntimeDefault readOnlyRootFilesystem: false runAsNonRoot: true runAsUser: 10000 + runAsGroup: 10000 allowPrivilegeEscalation: false privileged: false + seccompProfile: + type: RuntimeDefault + seLinuxOptions: + level: "s0:c123,c456" + +# -- Pod level security context +podSecurityContext: + fsGroupChangePolicy: "OnRootMismatch" + runAsNonRoot: true + runAsUser: 10000 + fsGroup: 10000 + runAsGroup: 10000 + seccompProfile: + type: RuntimeDefault + sysctls: [] + supplementalGroups: [] # -- Deployment configuration deployment: diff --git a/helm/charts/kratos/templates/cleanup-cron-job.yaml b/helm/charts/kratos/templates/cleanup-cron-job.yaml index aee29a6841..d369f48bc0 100644 --- a/helm/charts/kratos/templates/cleanup-cron-job.yaml +++ b/helm/charts/kratos/templates/cleanup-cron-job.yaml @@ -54,7 +54,7 @@ spec: - name: cleanup image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with .Values.cronjob.cleanup.securityContext }} + {{- with .Values.securityContext }} securityContext: {{- toYaml . | nindent 16 }} {{- end }} @@ -91,7 +91,7 @@ spec: nodeSelector: {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.cronjob.cleanup.podSecurityContext }} + {{- with .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} diff --git a/helm/charts/kratos/templates/deployment-kratos.yaml b/helm/charts/kratos/templates/deployment-kratos.yaml index 90e25a36a3..7e566ffb2b 100644 --- a/helm/charts/kratos/templates/deployment-kratos.yaml +++ b/helm/charts/kratos/templates/deployment-kratos.yaml @@ -90,7 +90,7 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.deployment.initContainerSecurityContext }} + {{- with .Values.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} @@ -260,7 +260,7 @@ spec: topologySpreadConstraints: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.deployment.podSecurityContext }} + {{- with .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/helm/charts/kratos/templates/deployment-watcher.yaml b/helm/charts/kratos/templates/deployment-watcher.yaml index 886d297516..0980ebbe5c 100644 --- a/helm/charts/kratos/templates/deployment-watcher.yaml +++ b/helm/charts/kratos/templates/deployment-watcher.yaml @@ -40,6 +40,10 @@ spec: spec: automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }} serviceAccountName: {{ include "kratos.serviceAccountName" . }}-watcher + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: watcher {{- if .Values.securityContext }} diff --git a/helm/charts/kratos/templates/statefulset-mail.yaml b/helm/charts/kratos/templates/statefulset-mail.yaml index e8dba9fcba..14dd291ff2 100644 --- a/helm/charts/kratos/templates/statefulset-mail.yaml +++ b/helm/charts/kratos/templates/statefulset-mail.yaml @@ -173,4 +173,8 @@ spec: dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} diff --git a/helm/charts/kratos/values.yaml b/helm/charts/kratos/values.yaml index cd00e90d32..4f7c30e020 100644 --- a/helm/charts/kratos/values.yaml +++ b/helm/charts/kratos/values.yaml @@ -191,25 +191,6 @@ kratos: # -- Configuration options for the k8s deployment deployment: - # -- initContainer securityContext for Kratos & migration init - initContainerSecurityContext: {} - - # -- pod securityContext for Kratos & migration init - podSecurityContext: {} - - # -- container securityContext for Kratos & migration init - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 100 - seccompProfile: - type: RuntimeDefault - lifecycle: {} # -- Configure the livenessProbe parameters livenessProbe: @@ -476,17 +457,33 @@ statefulSet: # -- Number of revisions kept in history revisionHistoryLimit: 5 +# -- Container level security context securityContext: capabilities: drop: - ALL - seccompProfile: - type: RuntimeDefault readOnlyRootFilesystem: true runAsNonRoot: true - runAsUser: 100 + runAsUser: 65534 + runAsGroup: 65534 allowPrivilegeEscalation: false privileged: false + seccompProfile: + type: RuntimeDefault + seLinuxOptions: + level: "s0:c123,c456" + +# -- Pod level security context +podSecurityContext: + fsGroupChangePolicy: "OnRootMismatch" + runAsNonRoot: true + runAsUser: 65534 + fsGroup: 65534 + runAsGroup: 65534 + seccompProfile: + type: RuntimeDefault + sysctls: [] + supplementalGroups: [] # -- Horizontal pod autoscaling configuration autoscaling: @@ -651,22 +648,6 @@ cronjob: # -- Configure node affinity affinity: {} - # -- Configure the containers' SecurityContext for the cleanup cronjob - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 100 - seccompProfile: - type: RuntimeDefault - - # -- pod securityContext for the cleanup cronjob - podSecurityContext: {} - # -- We usually recommend not to specify default resources and to leave this as a conscious choice for the user. # This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following diff --git a/helm/charts/oathkeeper-maester/templates/deployment.yaml b/helm/charts/oathkeeper-maester/templates/deployment.yaml index 72d048a653..71599aeb13 100644 --- a/helm/charts/oathkeeper-maester/templates/deployment.yaml +++ b/helm/charts/oathkeeper-maester/templates/deployment.yaml @@ -76,15 +76,18 @@ spec: {{- toYaml .Values.deployment.resources | nindent 12 }} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File - {{- if .Values.deployment.securityContext }} + {{- if .Values.securityContext }} securityContext: - {{- toYaml .Values.deployment.securityContext | nindent 12 }} + {{- toYaml .Values.securityContext | nindent 12 }} {{- end }} serviceAccountName: {{ include "oathkeeper-maester.fullname" . }}-account automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }} dnsPolicy: ClusterFirst restartPolicy: Always - securityContext: {} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} terminationGracePeriodSeconds: 10 {{- with .Values.priorityClassName }} priorityClassName: {{ . }} diff --git a/helm/charts/oathkeeper-maester/values.yaml b/helm/charts/oathkeeper-maester/values.yaml index bbf0eacce4..acb0f0d737 100644 --- a/helm/charts/oathkeeper-maester/values.yaml +++ b/helm/charts/oathkeeper-maester/values.yaml @@ -33,6 +33,34 @@ image: # -- Image pull secrets imagePullSecrets: [] +# -- Container level security context +securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + allowPrivilegeEscalation: false + privileged: false + seccompProfile: + type: RuntimeDefault + seLinuxOptions: + level: "s0:c123,c456" + +# -- Pod level security context +podSecurityContext: + fsGroupChangePolicy: "OnRootMismatch" + runAsNonRoot: true + runAsUser: 65534 + fsGroup: 65534 + runAsGroup: 65534 + seccompProfile: + type: RuntimeDefault + sysctls: [] + supplementalGroups: [] + deployment: resources: {} @@ -46,17 +74,6 @@ deployment: # requests: # cpu: 100m # memory: 20Mi - securityContext: - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - allowPrivilegeEscalation: false - privileged: false # -- Pod priority # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ diff --git a/helm/charts/oathkeeper/templates/deployment-controller.yaml b/helm/charts/oathkeeper/templates/deployment-controller.yaml index 74ef659930..219d6eb6ce 100644 --- a/helm/charts/oathkeeper/templates/deployment-controller.yaml +++ b/helm/charts/oathkeeper/templates/deployment-controller.yaml @@ -157,9 +157,9 @@ spec: {{- end }} resources: {{- toYaml .Values.deployment.resources | nindent 12 }} - {{- if .Values.deployment.securityContext }} + {{- if .Values.securityContext }} securityContext: - {{- toYaml .Values.deployment.securityContext | nindent 12 }} + {{- toYaml .Values.securityContext | nindent 12 }} {{- end }} {{- if .Values.deployment.extraContainers }} {{- tpl .Values.deployment.extraContainers . | nindent 8 }} @@ -187,4 +187,8 @@ spec: dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} diff --git a/helm/charts/oathkeeper/templates/deployment-sidecar.yaml b/helm/charts/oathkeeper/templates/deployment-sidecar.yaml index 2602239b60..de21179ecf 100644 --- a/helm/charts/oathkeeper/templates/deployment-sidecar.yaml +++ b/helm/charts/oathkeeper/templates/deployment-sidecar.yaml @@ -76,9 +76,9 @@ spec: - | touch /etc/rules/access-rules.json chmod 666 /etc/rules/access-rules.json - {{- if .Values.deployment.securityContext }} + {{- if .Values.securityContext }} securityContext: - {{- toYaml .Values.deployment.securityContext | nindent 12 }} + {{- toYaml .Values.securityContext | nindent 12 }} {{- end }} {{- if .Values.deployment.extraInitContainers }} {{- tpl .Values.deployment.extraInitContainers . | nindent 8 }} @@ -157,9 +157,9 @@ spec: {{- end }} resources: {{- toYaml .Values.deployment.resources | nindent 12 }} - {{- if .Values.deployment.securityContext }} + {{- if .Values.securityContext }} securityContext: - {{- toYaml .Values.deployment.securityContext | nindent 12 }} + {{- toYaml .Values.securityContext | nindent 12 }} {{- end }} - name: {{ .Chart.Name }}-maester image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" @@ -183,9 +183,9 @@ spec: - name: {{ include "oathkeeper.name" . }}-rules-volume mountPath: /etc/rules readOnly: false - {{- if .Values.deployment.securityContext }} + {{- if .Values.securityContext }} securityContext: - {{- toYaml .Values.deployment.securityContext | nindent 12 }} + {{- toYaml .Values.securityContext | nindent 12 }} {{- end }} {{- if .Values.deployment.extraContainers }} {{- tpl .Values.deployment.extraContainers . | nindent 8 }} @@ -212,4 +212,8 @@ spec: dnsConfig: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} diff --git a/helm/charts/oathkeeper/values.yaml b/helm/charts/oathkeeper/values.yaml index c1a69f7af5..ab80edcd4b 100644 --- a/helm/charts/oathkeeper/values.yaml +++ b/helm/charts/oathkeeper/values.yaml @@ -40,6 +40,34 @@ nameOverride: "" # -- Full chart name override fullnameOverride: "" +# -- Container level security context +securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + allowPrivilegeEscalation: false + privileged: false + seccompProfile: + type: RuntimeDefault + seLinuxOptions: + level: "s0:c123,c456" + +# -- Pod level security context +podSecurityContext: + fsGroupChangePolicy: "OnRootMismatch" + runAsNonRoot: true + runAsUser: 65534 + fsGroup: 65534 + runAsGroup: 65534 + seccompProfile: + type: RuntimeDefault + sysctls: [] + supplementalGroups: [] + # -- If enabled, a demo deployment with exemplary access rules and JSON Web Key Secrets will be generated. demo: false @@ -217,17 +245,6 @@ deployment: # requests: # cpu: 100m # memory: 128Mi - securityContext: - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - allowPrivilegeEscalation: false - privileged: false lifecycle: {} # -- Configure the livenessProbe parameters