Changes

giantswarm · Nov 21, 2023 · 7eb5b03 · 7eb5b03
1 parent d3d7cf9
commit 7eb5b03
Show file tree

Hide file tree

Showing 6 changed files with 82 additions and 51 deletions.
diff --git a/helm/cert-manager-app/charts/cert-manager-giantswarm-clusterissuer/templates/job.yaml b/helm/cert-manager-app/charts/cert-manager-giantswarm-clusterissuer/templates/job.yaml
@@ -15,14 +15,12 @@ spec:
         {{- include "issuerLabels" . | nindent 8 }}
     spec:
       serviceAccountName: {{ .Values.name }}
-      {{- with .Values.global.securityContext }}
       securityContext:
-        runAsUser: {{ .userID }}
-        runAsGroup: {{ .groupID }}
-        runAsNonRoot: {{ .runAsNonRoot }}
+        runAsUser: {{ .Values.userID }}
+        runAsGroup: {{ .Values.groupID }}
+        runAsNonRoot: true
         seccompProfile:
-          {{- toYaml .seccompProfile | nindent 10 }}
-      {{- end }}
+          type: RuntimeDefault
       containers:
       - name: {{ .Values.name }}
         image: "{{ .Values.global.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -31,10 +29,16 @@ spec:
         - apply
         - --filename
         - /data
-        {{- with .Values.global.containerSecurityContext }}
         securityContext:
-          {{- toYaml . | nindent 12 }}
-        {{- end }}
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsUser: {{ .Values.userID }}
+          runAsGroup: {{ .Values.groupID }}
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
         - name: {{ .Values.name }}
           subPath: clusterissuer.yaml

diff --git a/helm/cert-manager-app/templates/cainjector-deployment.yaml b/helm/cert-manager-app/templates/cainjector-deployment.yaml
@@ -25,13 +25,9 @@ spec:
       {{- end }}
     spec:
       serviceAccountName: {{ template "certManager.name.cainjector" . }}
-      {{- with .Values.global.securityContext }}
+      {{- with .Values.cainjector.securityContext }}
       securityContext:
-        runAsUser: {{ .userID }}
-        runAsGroup: {{ .groupID }}
-        runAsNonRoot: {{ .runAsNonRoot }}
-        seccompProfile:
-          {{- toYaml .seccompProfile | nindent 10 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
         - name: cainjector
@@ -43,7 +39,7 @@ spec:
           {{- if .Values.cainjector.extraArgs }}
           {{ toYaml .Values.cainjector.extraArgs }}
           {{- end }}
-          {{- with .Values.global.containerSecurityContext }}
+          {{- with .Values.cainjector.containerSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}

diff --git a/helm/cert-manager-app/templates/controller-deployment.yaml b/helm/cert-manager-app/templates/controller-deployment.yaml
@@ -38,13 +38,9 @@ spec:
       - key: node-role.kubernetes.io/control-plane
         effect: NoSchedule
       serviceAccountName: {{ template "certManager.controller.serviceAccountName" . }}
-      {{- with .Values.global.securityContext }}
+      {{- with .Values.securityContext }}
       securityContext:
-        runAsUser: {{ .userID }}
-        runAsGroup: {{ .groupID }}
-        runAsNonRoot: {{ .runAsNonRoot }}
-        seccompProfile:
-          {{- toYaml .seccompProfile | nindent 10 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
         - name: cert-manager
@@ -70,7 +66,7 @@ spec:
           {{- if .Values.controller.extraArgs }}
 {{ toYaml .Values.controller.extraArgs | indent 10 }}
           {{- end }}
-          {{- with .Values.global.containerSecurityContext }}
+          {{- with .Values.containerSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}

diff --git a/helm/cert-manager-app/templates/startupapicheck-job.yaml b/helm/cert-manager-app/templates/startupapicheck-job.yaml
@@ -37,9 +37,9 @@ spec:
       {{- if .Values.global.priorityClassName }}
       priorityClassName: {{ .Values.global.priorityClassName | quote }}
       {{- end }}
-      {{- if .Values.startupapicheck.securityContext}}
+      {{- with .Values.startupapicheck.securityContext }}
       securityContext:
-{{ toYaml .Values.startupapicheck.securityContext | indent 8 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}
@@ -52,9 +52,9 @@ spec:
           {{- if .Values.startupapicheck.extraArgs }}
 {{ toYaml .Values.startupapicheck.extraArgs | indent 10 }}
           {{- end }}
-          {{- if .Values.startupapicheck.containerSecurityContext }}
+          {{- with .Values.startupapicheck.containerSecurityContext }}
           securityContext:
-            {{- toYaml .Values.startupapicheck.containerSecurityContext | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
           {{- end }}
           resources:
 {{ toYaml .Values.startupapicheck.resources | indent 12 }}

diff --git a/helm/cert-manager-app/templates/webhook-deployment.yaml b/helm/cert-manager-app/templates/webhook-deployment.yaml
@@ -42,13 +42,9 @@ spec:
               topologyKey: kubernetes.io/hostname
             weight: 100
       serviceAccountName: {{ template "certManager.name.webhook" . }}
-      {{- with .Values.global.securityContext }}
+      {{- with .Values.webhook.securityContext }}
       securityContext:
-        runAsUser: {{ .userID }}
-        runAsGroup: {{ .groupID }}
-        runAsNonRoot: {{ .runAsNonRoot }}
-        seccompProfile:
-          {{- toYaml .seccompProfile | nindent 10 }}
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
         - name: webhook
@@ -72,7 +68,7 @@ spec:
           {{- with .Values.webhook.extraArgs }}
           {{- toYaml . | nindent 10 }}
           {{- end }}
-          {{- with .Values.global.containerSecurityContext }}
+          {{- with .Values.webhook.containerSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}

diff --git a/helm/cert-manager-app/values.yaml b/helm/cert-manager-app/values.yaml
@@ -42,6 +42,19 @@ cainjector:
       cpu: 10m
       memory: 32Mi
 
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+
   serviceAccount:
     # Optional additional labels to add to the cainjector's ServiceAccount
     # labels: {}
@@ -120,7 +133,22 @@ controller:
     # labels: {}
     automountServiceAccountToken: true
     annotations: {}
-
+# Pod Security Context
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+securityContext:
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+
+# Container Security Context to be set on the controller component container
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
 # crds
 #
 crds:
@@ -253,26 +281,26 @@ global:
   # name will be used.
   name: cert-manager
 
-  # global.securityContext
-  # Pods must run as an unprivileged user in Giant Swarm clusters.
-  securityContext:
-    # global.securityContext.groupID
-    groupID: 1000
+  ## global.securityContext
+  ## Pods must run as an unprivileged user in Giant Swarm clusters.
+  #securityContext:
+  #  # global.securityContext.groupID
+  #  groupID: 1000
 
-    # global.securityContext.userID
-    userID: 1000
+  #  # global.securityContext.userID
+  #  userID: 1000
 
-    # global.securityContext.runAsNonRoot
-    runAsNonRoot: true
+  #  # global.securityContext.runAsNonRoot
+  #  runAsNonRoot: true
 
-    seccompProfile:
-      type: RuntimeDefault
+  #  seccompProfile:
+  #    type: RuntimeDefault
 
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-      - ALL
+  #containerSecurityContext:
+  #  allowPrivilegeEscalation: false
+  #  capabilities:
+  #    drop:
+  #    - ALL
 
   rbac:
     # Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
@@ -370,7 +398,18 @@ webhook:
   url:
     {}
     # host:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
 
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
 # This startupapicheck is a Helm post-install hook that waits for the webhook
 # endpoints to become available.
 startupapicheck: