Chart: Tighten securityContexts and Pod Security Policies.

giantswarm · Oct 11, 2023 · 01997eb · 01997eb
1 parent e15c4d5
commit 01997eb
Show file tree

Hide file tree

Showing 14 changed files with 316 additions and 215 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -19,6 +19,7 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s
   **NOTE:** This is part of our alignment to upstream. Please convert any overrides of `controller.topologySpreadConstraints` to an array, too.
 - Tests: Upgrade dependencies & remove explicit ATS version. ([#538](https://github.com/giantswarm/ingress-nginx-app/pull/538))
 - Service: Fix wildcard subdomain. ([#539](https://github.com/giantswarm/ingress-nginx-app/pull/539))
+- Chart: Tighten `securityContext`s and Pod Security Policies. ([#540](https://github.com/giantswarm/ingress-nginx-app/pull/540))
 
 ## [3.0.1] - 2023-09-18
 

diff --git a/helm/ingress-nginx/README.md b/helm/ingress-nginx/README.md
@@ -112,6 +112,11 @@ Please ensure that cert-manager is correctly installed and configured.
 | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` |  |
 | controller.admissionWebhooks.createSecretJob.resources | object | `{}` |  |
 | controller.admissionWebhooks.createSecretJob.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| controller.admissionWebhooks.createSecretJob.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| controller.admissionWebhooks.createSecretJob.securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| controller.admissionWebhooks.createSecretJob.securityContext.runAsNonRoot | bool | `true` |  |
+| controller.admissionWebhooks.createSecretJob.securityContext.runAsUser | int | `65532` |  |
+| controller.admissionWebhooks.createSecretJob.securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | controller.admissionWebhooks.enabled | bool | `true` |  |
 | controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
@@ -129,12 +134,15 @@ Please ensure that cert-manager is correctly installed and configured.
 | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | controller.admissionWebhooks.patch.podAnnotations | object | `{}` |  |
 | controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # |
-| controller.admissionWebhooks.patch.securityContext.fsGroup | int | `2000` |  |
-| controller.admissionWebhooks.patch.securityContext.runAsNonRoot | bool | `true` |  |
-| controller.admissionWebhooks.patch.securityContext.runAsUser | int | `2000` |  |
+| controller.admissionWebhooks.patch.securityContext | object | `{}` |  |
 | controller.admissionWebhooks.patch.tolerations | list | `[]` |  |
 | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` |  |
 | controller.admissionWebhooks.patchWebhookJob.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| controller.admissionWebhooks.patchWebhookJob.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| controller.admissionWebhooks.patchWebhookJob.securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| controller.admissionWebhooks.patchWebhookJob.securityContext.runAsNonRoot | bool | `true` |  |
+| controller.admissionWebhooks.patchWebhookJob.securityContext.runAsUser | int | `65532` |  |
+| controller.admissionWebhooks.patchWebhookJob.securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | controller.admissionWebhooks.port | int | `8443` |  |
 | controller.admissionWebhooks.service.annotations | object | `{}` |  |
 | controller.admissionWebhooks.service.externalIPs | list | `[]` |  |
@@ -158,6 +166,7 @@ Please ensure that cert-manager is correctly installed and configured.
 | controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) |
 | controller.containerName | string | `"controller"` | Configures the controller container name |
 | controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports that the nginx-controller listens on |
+| controller.containerSecurityContext | object | `{}` | Security context for controller containers |
 | controller.customTemplate.configMapKey | string | `""` |  |
 | controller.customTemplate.configMapName | string | `""` |  |
 | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. |
@@ -182,13 +191,16 @@ Please ensure that cert-manager is correctly installed and configured.
 | controller.hostPort.ports.http | int | `80` | 'hostPort' http port |
 | controller.hostPort.ports.https | int | `443` | 'hostPort' https port |
 | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
-| controller.image.allowPrivilegeEscalation | bool | `true` |  |
+| controller.image.allowPrivilegeEscalation | bool | `false` |  |
 | controller.image.chroot | bool | `false` |  |
 | controller.image.digest | string | `""` |  |
 | controller.image.digestChroot | string | `""` |  |
 | controller.image.image | string | `"giantswarm/ingress-nginx-controller"` |  |
 | controller.image.pullPolicy | string | `"IfNotPresent"` |  |
+| controller.image.readOnlyRootFilesystem | bool | `false` |  |
+| controller.image.runAsNonRoot | bool | `true` |  |
 | controller.image.runAsUser | int | `101` |  |
+| controller.image.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | controller.image.tag | string | `"v1.9.0"` |  |
 | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
 | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
@@ -247,12 +259,19 @@ Please ensure that cert-manager is correctly installed and configured.
 | controller.networkPolicy.enabled | bool | `true` | Enable 'networkPolicy' or not |
 | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
 | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
+| controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| controller.opentelemetry.containerSecurityContext.readOnlyRootFilesystem | bool | `true` |  |
+| controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` |  |
+| controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. |
+| controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
+| controller.opentelemetry.distroless | bool | `true` |  |
 | controller.opentelemetry.enabled | bool | `false` |  |
 | controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` |  |
+| controller.opentelemetry.name | string | `"opentelemetry"` |  |
 | controller.opentelemetry.resources | object | `{}` |  |
 | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
 | controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
-| controller.podSecurityContext | object | `{}` | Security Context policies for controller pods |
+| controller.podSecurityContext | object | `{}` | Security context for controller pods |
 | controller.priorityClassName | string | `""` |  |
 | controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers |
 | controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. |
@@ -322,7 +341,7 @@ Please ensure that cert-manager is correctly installed and configured.
 | controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. |
 | controller.service.type | string | `"LoadBalancer"` | Type of both controller services. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
 | controller.shareProcessNamespace | bool | `false` |  |
-| controller.sysctls | object | `{}` | See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls |
+| controller.sysctls | object | `{}` | sysctls for controller pods # Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ |
 | controller.tcp.annotations | object | `{}` | Annotations to be added to the tcp config configmap |
 | controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) |
 | controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready # wait up to five minutes for the drain of connections # |
@@ -339,7 +358,7 @@ Please ensure that cert-manager is correctly installed and configured.
 | defaultBackend.autoscaling.minReplicas | int | `1` |  |
 | defaultBackend.autoscaling.targetCPUUtilizationPercentage | int | `50` |  |
 | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` |  |
-| defaultBackend.containerSecurityContext | object | `{}` | Security Context policies for controller main container. See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # |
+| defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers |
 | defaultBackend.enabled | bool | `false` |  |
 | defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | defaultBackend.extraArgs | object | `{}` |  |
@@ -352,6 +371,7 @@ Please ensure that cert-manager is correctly installed and configured.
 | defaultBackend.image.readOnlyRootFilesystem | bool | `true` |  |
 | defaultBackend.image.runAsNonRoot | bool | `true` |  |
 | defaultBackend.image.runAsUser | int | `65534` |  |
+| defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | defaultBackend.image.tag | string | `"1.5"` |  |
 | defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources |
 | defaultBackend.livenessProbe.failureThreshold | int | `3` |  |
@@ -366,7 +386,7 @@ Please ensure that cert-manager is correctly installed and configured.
 | defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
 | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # |
 | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata |
-| defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # |
+| defaultBackend.podSecurityContext | object | `{}` | Security context for default backend pods |
 | defaultBackend.port | int | `8080` |  |
 | defaultBackend.priorityClassName | string | `""` |  |
 | defaultBackend.readinessProbe.failureThreshold | int | `6` |  |

diff --git a/helm/ingress-nginx/templates/_helpers.tpl b/helm/ingress-nginx/templates/_helpers.tpl
@@ -30,14 +30,19 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 {{- end -}}
 
-
 {{/*
-Container SecurityContext.
+Controller container security context.
 */}}
-{{- define "controller.containerSecurityContext" -}}
+{{- define "ingress-nginx.controller.containerSecurityContext" -}}
 {{- if .Values.controller.containerSecurityContext -}}
 {{- toYaml .Values.controller.containerSecurityContext -}}
 {{- else -}}
+runAsNonRoot: {{ .Values.controller.image.runAsNonRoot }}
+runAsUser: {{ .Values.controller.image.runAsUser }}
+allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
+{{- if .Values.controller.image.seccompProfile }}
+seccompProfile: {{ toYaml .Values.controller.image.seccompProfile | nindent 2 }}
+{{- end }}
 capabilities:
   drop:
   - ALL
@@ -46,9 +51,8 @@ capabilities:
   {{- if .Values.controller.image.chroot }}
   - SYS_CHROOT
   {{- end }}
-runAsUser: {{ .Values.controller.image.runAsUser }}
-allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
-{{- end }}
+readOnlyRootFilesystem: {{ .Values.controller.image.readOnlyRootFilesystem }}
+{{- end -}}
 {{- end -}}
 
 {{/*
@@ -110,14 +114,6 @@ Users can provide an override for an explicit service they want bound via `.Valu
 {{- print $servicePath | trimSuffix "-" -}}
 {{- end -}}
 
-{{/*
-Create a default fully qualified default backend name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-*/}}
-{{- define "ingress-nginx.defaultBackend.fullname" -}}
-{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
 {{/*
 Common labels
 */}}
@@ -155,6 +151,14 @@ Create the name of the controller service account to use
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create a default fully qualified default backend name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "ingress-nginx.defaultBackend.fullname" -}}
+{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
 */}}
@@ -166,6 +170,26 @@ Create the name of the backend service account to use - only used when podsecuri
 {{- end -}}
 {{- end -}}
 
+{{/*
+Default backend container security context.
+*/}}
+{{- define "ingress-nginx.defaultBackend.containerSecurityContext" -}}
+{{- if .Values.defaultBackend.containerSecurityContext -}}
+{{- toYaml .Values.defaultBackend.containerSecurityContext -}}
+{{- else -}}
+runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
+runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
+allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
+{{- if .Values.defaultBackend.image.seccompProfile }}
+seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }}
+{{- end }}
+capabilities:
+  drop:
+  - ALL
+readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return the appropriate apiGroup for PodSecurityPolicy.
 */}}
@@ -202,18 +226,21 @@ Extra modules.
 {{- define "extraModules" -}}
 - name: {{ .name }}
   image: {{ .image }}
-  {{- if .distroless | default false }}
-  command: ['/init_module']
+  command:
+  {{- if .distroless }}
+    - /init_module
   {{- else }}
-  command: ['sh', '-c', '/usr/local/bin/init_module.sh']
+    - sh
+    - -c
+    - /usr/local/bin/init_module.sh
   {{- end }}
   {{- if .containerSecurityContext }}
-  securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }}
+  securityContext: {{ toYaml .containerSecurityContext | nindent 4 }}
   {{- end }}
   {{- if .resources }}
-  resources: {{ .resources | toYaml | nindent 4 }}
+  resources: {{ toYaml .resources | nindent 4 }}
   {{- end }}
   volumeMounts:
-    - name: {{ toYaml "modules"}}
-      mountPath: {{ toYaml "/modules_mount"}}
+    - name: modules
+      mountPath: /modules_mount
 {{- end -}}
diff --git a/helm/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/helm/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
@@ -21,14 +21,13 @@ rules:
       - get
       - update
 {{- if .Values.podSecurityPolicy.enabled }}
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs:     ['use']
-    resourceNames:
+  - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
+    resources:      ['podsecuritypolicies']
+    verbs:          ['use']
     {{- with .Values.controller.admissionWebhooks.existingPsp }}
-    - {{ . }}
+    resourceNames:  [{{ . }}]
     {{- else }}
-    - {{ include "ingress-nginx.fullname" . }}-admission
+    resourceNames:  [{{ include "ingress-nginx.fullname" . }}-admission]
     {{- end }}
 {{- end }}
 {{- end }}
diff --git a/helm/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/helm/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
@@ -73,8 +73,7 @@ spec:
     {{- if .Values.controller.admissionWebhooks.patch.tolerations }}
       tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
     {{- end }}
-      {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
-      securityContext:
-        {{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
-      {{- end }}
+    {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
+      securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
+    {{- end }}
 {{- end }}
diff --git a/helm/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/helm/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -75,8 +75,7 @@ spec:
     {{- if .Values.controller.admissionWebhooks.patch.tolerations }}
       tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
     {{- end }}
-      {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
-      securityContext:
-        {{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
-      {{- end }}
+    {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
+      securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
+    {{- end }}
 {{- end }}
diff --git a/helm/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml b/helm/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
@@ -1,41 +1,52 @@
 {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
+{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ include "ingress-nginx.fullname" . }}-admission
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: admission-webhook
     {{- with .Values.controller.admissionWebhooks.patch.labels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
-  allowPrivilegeEscalation: false
+  privileged: false
+  hostPID: false
+  hostIPC: false
+  hostNetwork: false
+  volumes:
+    - configMap
+    - downwardAPI
+    - emptyDir
+    - secret
+    - projected
   fsGroup:
-    ranges:
-    - max: 65535
-      min: 1
     rule: MustRunAs
-  requiredDropCapabilities:
-  - ALL
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: true
   runAsUser:
     rule: MustRunAsNonRoot
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
+  runAsGroup:
+    rule: MustRunAs
     ranges:
-    - max: 65535
-      min: 1
+      - min: 1
+        max: 65535
+  supplementalGroups:
     rule: MustRunAs
-  volumes:
-  - configMap
-  - emptyDir
-  - projected
-  - secret
-  - downwardAPI
+    ranges:
+      - min: 1
+        max: 65535
+  allowPrivilegeEscalation: false
+  requiredDropCapabilities:
+    - ALL
+  seLinux:
+    rule: RunAsAny
 {{- end }}
 {{- end }}