Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Roll out PSS Restricted profile. #1883

Open
sengi opened this issue Mar 4, 2024 · 2 comments
Open

Roll out PSS Restricted profile. #1883

sengi opened this issue Mar 4, 2024 · 2 comments
Assignees
Labels
k8s Kubernetes

Comments

@sengi
Copy link
Contributor

sengi commented Mar 4, 2024

We currently enforce the PSS baseline profile.

We want tighten that up to Restricted where possible (e.g. apps namespace), so that we don't have to worry about regressions in container permissions — i.e. application containers unintentionally/unnecessarily being granted system privileges in future.

In other words, this:

  • prevents a set of potential misconfigurations in future
  • helps to "lock in" the benefits of the least-privilege configuration that we already have

We still have a couple of NFS clients (e.g. asset-manager), so we might need to work around that temporarily and/or pay down that tech debt and switch them to S3.

@sengi
Copy link
Contributor Author

sengi commented May 1, 2024

Ah nuts, auto-closed this by mistake somehow or other.

@sengi sengi reopened this May 1, 2024
@sengi
Copy link
Contributor Author

sengi commented May 1, 2024

It's not rolled out until we're in enforcement mode.

Should be mostly just trivial template fixes, plus the not-so-trivial NFS question.

@dj-maisy dj-maisy added the k8s Kubernetes label Jul 22, 2024
nimalank7 added a commit that referenced this issue Sep 25, 2024
Description:
- Enforce initContainers to be compliant when PSS is set to restricted
- As part of #1883
MahmudH pushed a commit that referenced this issue Sep 26, 2024
Description:
- Enforce initContainers to be compliant when PSS is set to restricted
- As part of #1883
MahmudH pushed a commit that referenced this issue Sep 26, 2024
Description:
- Enforce initContainers to be compliant when PSS is set to restricted
- As part of #1883
MahmudH pushed a commit that referenced this issue Sep 26, 2024
Description:
- Enforce initContainers to be compliant when PSS is set to restricted
- As part of #1883
MahmudH pushed a commit that referenced this issue Sep 26, 2024
Description:
- Enforce initContainers to be compliant when PSS is set to restricted
- As part of #1883
nimalank7 added a commit that referenced this issue Sep 27, 2024
Description:
- Enforce initContainers to be compliant when PSS is set to restricted
- As part of #1883
nimalank7 added a commit that referenced this issue Oct 2, 2024
Description:
- Enforce initContainers to be compliant when PSS is set to restricted
- As part of #1883
nimalank7 added a commit that referenced this issue Oct 2, 2024
Description:
- Enforce initContainers to be compliant when PSS is set to restricted
- As part of #1883
nimalank7 added a commit that referenced this issue Oct 2, 2024
Description:
- Enforce initContainers in the `app` namespace to be compliant when PSS is set to (restricted)[https://kubernetes.io/docs/concepts/security/pod-security-standards/]
- Tested in integration and observed that `content-data-admin` initContainers were starting properly
- `govuk-mirror-sync-cronjob` can't be tested in integration as this has no mirrors so the PR will have to be merged and we will have to manually inspect staging ot see if it succeeds.
- As part of #1883
- Paired with @MahmudH
nimalank7 added a commit that referenced this issue Oct 3, 2024
Description:
- Enforce initContainers in the `app` namespace to be compliant when PSS is set to [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/)
- Tested in integration and observed that `content-data-admin` initContainers were starting properly
- `govuk-mirror-sync-cronjob` can't be tested in integration as this has no mirrors so the PR will have to be merged and we will have to manually inspect staging ot see if it succeeds.
- As part of #1883
- Paired with @MahmudH
nimalank7 added a commit that referenced this issue Oct 4, 2024
Description:
- Enforce initContainers in the `app` namespace to be compliant when PSS is set to [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/)
- Tested in integration and observed that `content-data-admin` initContainers were starting properly
- `govuk-mirror-sync-cronjob` can't be tested in integration as this has no mirrors so the PR will have to be merged and we will have to manually inspect staging ot see if it succeeds.
- As part of #1883
- Paired with @MahmudH
nimalank7 added a commit that referenced this issue Oct 4, 2024
Description:
- Enforces this container to be compliant when PSS is set to [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/)
- As part of #1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Nov 26, 2024
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Nov 27, 2024
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Nov 29, 2024
Description:
- Nothing uses this anymore
- As part of alphagov/govuk-helm-charts#1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Nov 29, 2024
Description:
- Nothing uses this anymore
- As part of alphagov/govuk-helm-charts#1883
nimalank7 added a commit that referenced this issue Dec 2, 2024
Description:
- post-sync failures aren't being reported to `#govuk-deploy-arts` and give the following error message:
```level=error msg="cannot save parameter /tmp/message.txt" argo=true error="open /tmp/message.txt: no such file or directory"```
- This is due to alphagov/govuk-infrastructure@e7e840d setting Argo Workflow pods as `readOnlyRootFileSystem`
- Solution is to mount `/tmp` in so the pod can write to it
- As part of #1883
nimalank7 added a commit that referenced this issue Dec 2, 2024
Description:
- post-sync failures aren't being reported to `#govuk-deploy-arts` and give the following error message:
```level=error msg="cannot save parameter /tmp/message.txt" argo=true error="open /tmp/message.txt: no such file or directory"```
- This is due to alphagov/govuk-infrastructure@e7e840d setting Argo Workflow pods as `readOnlyRootFileSystem`
- Solution is to mount `/tmp` in so the pod can write to it
- As part of #1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 5, 2024
Description:
- https://github.com/alphagov/govuk-infrastructure/pull/725/files introduced the EBS CSI Driver which created EFS for ClamAV
- Next https://github.com/alphagov/govuk-helm-charts/pull/508/files allowed ClamAV to talk to EFS over NFS exposing over clamav-db-govuk.integration.govuk-internal.digital
- However this didn’t work so ClamAV was switched to use the EFS CSI driver in https://github.com/alphagov/govuk-helm-charts/pull/514/files. But this removes the reference to clamav-db-govuk.integration.govuk-internal.digital
- #790 removes the EFS CSI driver
- Next https://github.com/alphagov/govuk-helm-charts/pull/572/files makes ClamAV share the EFS instance via the same NFS mount as asset manager.
- Now there is a dangling reference to ClamAV EFS instance which can be safely removed as nothing references it anymore.
- As part of alphagov/govuk-helm-charts#1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 5, 2024
Description:
- https://github.com/alphagov/govuk-infrastructure/pull/725/files introduced the EBS CSI Driver which created EFS for ClamAV
- Next https://github.com/alphagov/govuk-helm-charts/pull/508/files allowed ClamAV to talk to EFS over NFS exposing over clamav-db-govuk.integration.govuk-internal.digital
- However this didn’t work so ClamAV was switched to use the EFS CSI driver in https://github.com/alphagov/govuk-helm-charts/pull/514/files. But this removes the reference to clamav-db-govuk.integration.govuk-internal.digital
- #790 removes the EFS CSI driver
- Next https://github.com/alphagov/govuk-helm-charts/pull/572/files makes ClamAV share the EFS instance via the same NFS mount as asset manager.
- Now there is a dangling reference to ClamAV EFS instance which can be safely removed as nothing references it anymore.
- As part of alphagov/govuk-helm-charts#1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 5, 2024
Description:
- #725 introduced the EBS CSI Driver which created EFS for ClamAV
- Next alphagov/govuk-helm-charts#508 allowed ClamAV to talk to EFS over NFS exposing over clamav-db-govuk.integration.govuk-internal.digital
- However this didn’t work so ClamAV was switched to use the EFS CSI driver in alphagov/govuk-helm-charts#514. But this removes the reference to clamav-db-govuk.integration.govuk-internal.digital
- #790 removes the EFS CSI driver
- Next alphagov/govuk-helm-charts#572 makes ClamAV share the EFS instance via the same NFS mount as asset manager.
- Now there is a dangling reference to ClamAV EFS instance which can be safely removed as nothing references it anymore.
- As part of alphagov/govuk-helm-charts#1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 5, 2024
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 5, 2024
Description:
- Currently assets are stored in `assets_efs` EFS after scanning by ClamAV prior to upload to S3. These are transferred via an NFS mount in each of their pods. We want to move away from this as `nfs` volume type isn't compatible with PSS restricted
- Install the EFS CSI Driver as a first step to migrate from NFS to PersistentVolumes
- As part of alphagov/govuk-helm-charts#1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 5, 2024
Description:
- Currently assets are stored in `assets_efs` EFS after scanning by ClamAV prior to upload to S3. These are transferred via an NFS mount in each of their pods. We want to move away from this as `nfs` volume type isn't compatible with PSS restricted
- Install the EFS CSI Driver as a first step to migrate from NFS to PersistentVolumes
- As part of alphagov/govuk-helm-charts#1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 5, 2024
Description:
- Currently assets are stored in `assets_efs` EFS after scanning by ClamAV prior to upload to S3. These are transferred via an NFS mount in each of their pods. We want to move away from this as `nfs` volume type isn't compatible with PSS restricted
- Install the EFS CSI Driver as a first step to migrate from NFS to PersistentVolumes
- As part of alphagov/govuk-helm-charts#1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 11, 2024
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 11, 2024
Description:
- Add a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager to `nfs` volume type
- PR only installs the CSI Driver but doesn't provision an EFS volume until a `PersistentVolumeClaim` is created in the Helm Chart
- See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/examples/kubernetes/static_provisioning
- As part of alphagov/govuk-helm-charts#1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 11, 2024
Description:
- Add a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager to `nfs` volume type. This is because dynamic provisioning causes errors - see https://trello.com/c/2XkadNJ2/1011-resolve-asset-manager-pvc-related-errors
- PR only installs the CSI Driver but doesn't provision an EFS volume until a `PersistentVolumeClaim` is created in the Helm Chart
- See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/examples/kubernetes/static_provisioning
- As part of alphagov/govuk-helm-charts#1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 11, 2024
Description:
- Add a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager to `nfs` volume type. This is because dynamic provisioning causes errors - see https://trello.com/c/2XkadNJ2/1011-resolve-asset-manager-pvc-related-errors
- PR only installs the CSI Driver but doesn't provision an EFS volume until a `PersistentVolumeClaim` is created in the Helm Chart
- See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/examples/kubernetes/static_provisioning
- As part of alphagov/govuk-helm-charts#1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 11, 2024
Description:
- Add a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager to `nfs` volume type. This is because dynamic provisioning causes errors - see https://trello.com/c/2XkadNJ2/1011-resolve-asset-manager-pvc-related-errors
- PR only installs the CSI Driver but doesn't provision an EFS volume until a `PersistentVolumeClaim` is created in the Helm Chart
- See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/examples/kubernetes/static_provisioning and https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/charts/aws-efs-csi-driver/values.yaml for Helm values
- As part of alphagov/govuk-helm-charts#1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 11, 2024
Description:
- Add a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager to `nfs` volume type. This is because dynamic provisioning causes errors - see https://trello.com/c/2XkadNJ2/1011-resolve-asset-manager-pvc-related-errors
- PR only setups the IAM roles for the EFS CSI Driver. Follow up PR will install the EFS CSI driver.
- See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/
- As part of alphagov/govuk-helm-charts#1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 11, 2024
Description:
- Add a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager to `nfs` volume type. This is because dynamic provisioning causes errors - see https://trello.com/c/2XkadNJ2/1011-resolve-asset-manager-pvc-related-errors
- PR only setups the IAM roles for the EFS CSI Driver. Follow up PR will install the EFS CSI driver.
- See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/
- As part of alphagov/govuk-helm-charts#1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 11, 2024
Description:
- Add a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager to `nfs` volume type. This is because dynamic provisioning causes errors - see https://trello.com/c/2XkadNJ2/1011-resolve-asset-manager-pvc-related-errors
- PR only setups the IAM roles for the EFS CSI Driver. Follow up PR will install the EFS CSI driver.
- See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/
- As part of alphagov/govuk-helm-charts#1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 11, 2024
Description:
- Adds a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager from `nfs` volume type. This shouldn't affect the current NFS setup as it only provisions the driver not call the RPCs on it
- #1549 added the IAM roles for EKS nodes to access EFS
- See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/ for configuration details
- As part of alphagov/govuk-helm-charts#1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 12, 2024
Description:
- Adds a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager from `nfs` volume type. This shouldn't affect the current NFS setup as it only provisions the driver not call the RPCs on it
- #1549 added the IAM roles for EKS nodes to access EFS
- See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/ for configuration details
- As part of alphagov/govuk-helm-charts#1883
nimalank7 added a commit to alphagov/govuk-infrastructure that referenced this issue Dec 12, 2024
Description:
- Adds a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager from `nfs` volume type. This shouldn't affect the current NFS setup as it only provisions the driver not call the RPCs on it
- #1549 added the IAM roles for EKS nodes to access EFS
- See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/ for configuration details
- As part of alphagov/govuk-helm-charts#1883
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
k8s Kubernetes
Projects
None yet
Development

No branches or pull requests

4 participants