feat(security)!: ✨ 🔒️ capabilities are droppped by default and can be…

… set if needed
traefik · May 31, 2024 · 079dec2 · 079dec2
1 parent ddf9e87
commit 079dec2
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 15 deletions.
diff --git a/traefikee/templates/proxy/deployment.yaml b/traefikee/templates/proxy/deployment.yaml
@@ -135,10 +135,7 @@ spec:
             seccompProfile:
               type: RuntimeDefault
             capabilities:
-              drop:
-                - ALL
-              add:
-                - NET_BIND_SERVICE
+              {{- toYaml $proxy.securityContext.capabilities | nindent 14 }}
           ports:
             - containerPort: 8484
               name: distributed

diff --git a/traefikee/templates/stateful-sets.yaml b/traefikee/templates/stateful-sets.yaml
@@ -147,10 +147,7 @@ spec:
             seccompProfile:
               type: RuntimeDefault
             capabilities:
-              drop:
-                - ALL
-              add:
-                - NET_BIND_SERVICE
+              {{- toYaml .Values.registry.securityContext.capabilities | nindent 14 }}
           ports:
             - containerPort: 6443
               name: https
@@ -358,10 +355,7 @@ spec:
             seccompProfile:
               type: RuntimeDefault
             capabilities:
-              drop:
-                - ALL
-              add:
-                - NET_BIND_SERVICE
+              {{- toYaml .Values.controller.securityContext.capabilities | nindent 14 }}
           ports:
             - containerPort: 4242
               name: control-port

diff --git a/traefikee/tests/controller_test.yaml b/traefikee/tests/controller_test.yaml
@@ -251,7 +251,6 @@ tests:
               type: "RuntimeDefault"
             capabilities:
               drop: ["ALL"]
-              add: ["NET_BIND_SERVICE"]
       - documentIndex: 2
         equal:
           path: spec.template.spec.containers[0].securityContext
@@ -263,7 +262,6 @@ tests:
               type: "RuntimeDefault"
             capabilities:
               drop: ["ALL"]
-              add: ["NET_BIND_SERVICE"]
 
   - it: should deploy only the controller when registry is disabled
     set:

diff --git a/traefikee/values-dual-proxies.yaml b/traefikee/values-dual-proxies.yaml
@@ -95,6 +95,8 @@ additionalProxies:
       periodSeconds: 5
     securityContext:
       runAsUser: 65532
+      capabilities:
+        drop: ["ALL"]
 
   #  serviceLabels:
   #    foo: bar

diff --git a/traefikee/values.yaml b/traefikee/values.yaml
@@ -53,6 +53,11 @@ registry:
                   values:
                     - registry
             topologyKey: "kubernetes.io/hostname"
+
+  securityContext:
+    capabilities:
+      drop: ["ALL"]
+
 #   serviceLabels:
 #     foo: bar
 #   serviceAnnotations:
@@ -107,6 +112,11 @@ controller:
                   values:
                     - controllers
             topologyKey: "kubernetes.io/hostname"
+
+  securityContext:
+    capabilities:
+      drop: ["ALL"]
+
   # Static Configuration can be set within values OR
   # from an external ConfigMap. Not both.
   staticConfig:
@@ -209,6 +219,7 @@ proxy:
   loadBalancerIP:
   loadBalancerSourceRanges:
 
+
   # To disable affinity at all set this value to null
   affinity:
     nodeAffinity:
@@ -272,6 +283,8 @@ proxy:
     periodSeconds: 5
   securityContext:
     runAsUser: 65532
+    capabilities:
+      drop: ["ALL"]
 
 #  serviceLabels:
 #    foo: bar
@@ -381,5 +394,5 @@ mesh:
 volumeClaimTemplates:
   storageClassName:
 
-# set it to true if CSI driver don't allow it (e.g EFS)
+# Set it to true if your CSI driver don't allow (or need) it (e.g EFS)
 disableChown: false