-
Notifications
You must be signed in to change notification settings - Fork 483
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deploy) Increase container security #1057
base: main
Are you sure you want to change the base?
Conversation
The reason specifying |
6ca9eee
to
e1d76e4
Compare
Do you know of anything that's functionally different in terms of enforcement or compliance validation if like settings are set at the Pod versus container level? The rough justification for having defaults only in the container section is more or less what you've mentioned: we apply those context constraints to any container the chart itself manages, and any other container in the Pod is an unknown sidecar (with Kuma having a special status as a well-known sidecar that we try to accommodate by default). Pod-level settings might thus break those unknown sidecars and AFAIK there's no difference when applying the same setting at both levels. If there's something that's Pod-level only, we should consider that in isolation. The Postgres settings should be fine, though we've normally mostly ignored it since it's kind of a legacy wart we discourage use of and plan to ultimately remove. |
As you already wrote, the pods securityContext applies to all containers in the pod while the securityContext of a container only applies to the single container. There are some fields that can be only configured in the securityContext of the pod ( In terms of compliance, IMO it would be better to set most of the stuff in the pods securityContext. But that breaks injected containers. Not sure how much thought was put into kube-linters rules which we're trying to make happy in this PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright, incompatibility is less of a concern: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
Security settings that you specify for a Container apply only to the individual Container, and they override settings made at the Pod level when there is overlap
It is still a breaking change though, since any added sidecars that are incompatible will need to specify context where they didn't previously, so we'd need to note as much in the changelog.
What issue were you seeing with Kuma, on which version, and with what install configuration? At least with https://kuma.io/docs/2.7.x/production/dp-config/cni/#installation and the KIND instructions I was able to set up Kong and our test echo server with Pod-level runAsNonRoot: true
. That may well have tripped it since AFAIK https://kuma.io/docs/2.7.x/production/dp-config/transparent-proxying/ actually does require root, but I'd think it'd set the override on sidecars in that case.
However, I'd expect UID 1000 at the Pod level to break that also, since even if the container can run as root, it wouldn't be.
e1d76e4
to
a963135
Compare
I was running tests locally with the versions specified in the test files. As said the injected Kuma initContainers were not happy with the |
a963135
to
63a6012
Compare
Would the Pods come online if you manually added a Trying to do my own tests, but have been frustrated by some other issue interfering with my ability to run the transparent proxy mode locally. |
63a6012
to
02e49a3
Compare
As long as the pods |
02e49a3
to
f3a3b44
Compare
@rainest sorry for letting this stall. I've rebased and ran |
Change default values to run containers with read-only file system and non-root user for both kong and postgres deployments. Signed-off-by: Gerald Pape <[email protected]>
f3a3b44
to
4cbaa2b
Compare
@rainest is this still something worth merging? |
Change default values to run containers with read-only file system and non-root user for both kong and postgres deployments.
What this PR does / why we need it:
Which issue this PR fixes
Special notes for your reviewer:
Checklist
main
branch.