fix: only set security context when necessary

Signed-off-by: Mark Sagi-Kazar <[email protected]>
bank-vaults · Aug 31, 2023 · 75d5d68 · 75d5d68
1 parent a56aeac
commit 75d5d68
Show file tree

Hide file tree

Showing 3 changed files with 102 additions and 3 deletions.
diff --git a/e2e/test/deployment-init-seccontext.yaml b/e2e/test/deployment-init-seccontext.yaml
@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-deployment-init-seccontext
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: test-deployment-init-seccontext
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: test-deployment-init-seccontext
+      annotations:
+        vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200"
+        vault.security.banzaicloud.io/vault-role: "default"
+        vault.security.banzaicloud.io/vault-tls-secret: vault-tls
+        # vault.security.banzaicloud.io/vault-skip-verify: "true"
+        vault.security.banzaicloud.io/vault-path: "kubernetes"
+        vault.security.banzaicloud.io/run-as-non-root: "true"
+        vault.security.banzaicloud.io/run-as-user: "1000"
+        vault.security.banzaicloud.io/run-as-group: "1000"
+    spec:
+      containers:
+        - name: alpine
+          image: alpine
+          command: ["sh", "-c", "echo $AWS_SECRET_ACCESS_KEY && echo going to sleep... && sleep 10000"]
+          env:
+          - name: AWS_SECRET_ACCESS_KEY
+            value: vault:secret/data/accounts/aws#AWS_SECRET_ACCESS_KEY
+          resources:
+            limits:
+              memory: "128Mi"
+              cpu: "100m"
diff --git a/e2e/webhook_test.go b/e2e/webhook_test.go
@@ -136,6 +136,26 @@ func TestPodMutation(t *testing.T) {
 
 			return ctx
 		}).
+		Assess("security context defaults are correct", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			r := cfg.Client().Resources()
+
+			pods := &v1.PodList{}
+
+			err := r.List(ctx, pods, resources.WithLabelSelector("app.kubernetes.io/name=test-deployment"))
+			require.NoError(t, err)
+
+			if pods == nil || len(pods.Items) == 0 {
+				t.Fatal("no pods found")
+			}
+
+			securityContext := pods.Items[0].Spec.InitContainers[0].SecurityContext
+
+			assert.Nil(t, securityContext.RunAsNonRoot)
+			assert.Nil(t, securityContext.RunAsUser)
+			assert.Nil(t, securityContext.RunAsGroup)
+
+			return ctx
+		}).
 		Feature()
 
 	deploymentSeccontext := applyResource(features.New("deployment-seccontext"), "deployment-seccontext.yaml").
@@ -197,7 +217,48 @@ func TestPodMutation(t *testing.T) {
 		}).
 		Feature()
 
-	testenv.Test(t, deployment, deploymentSeccontext, deploymentTemplating)
+	deploymentInitSeccontext := applyResource(features.New("deployment-init-seccontext"), "deployment-init-seccontext.yaml").
+		Assess("available", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			deployment := &appsv1.Deployment{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-deployment-init-seccontext", Namespace: cfg.Namespace()},
+			}
+
+			// wait for the deployment to become available
+			err := wait.For(conditions.New(cfg.Client().Resources()).DeploymentConditionMatch(deployment, appsv1.DeploymentAvailable, v1.ConditionTrue), wait.WithTimeout(2*time.Minute))
+			require.NoError(t, err)
+
+			return ctx
+		}).
+		Assess("security context is correct", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			r := cfg.Client().Resources()
+
+			pods := &v1.PodList{}
+
+			err := r.List(ctx, pods, resources.WithLabelSelector("app.kubernetes.io/name=test-deployment-init-seccontext"))
+			require.NoError(t, err)
+
+			if pods == nil || len(pods.Items) == 0 {
+				t.Fatal("no pods found")
+			}
+
+			// wait for the container to become available
+			err = wait.For(conditions.New(r).ContainersReady(&pods.Items[0]), wait.WithTimeout(2*time.Minute))
+			require.NoError(t, err)
+
+			securityContext := pods.Items[0].Spec.InitContainers[0].SecurityContext
+
+			require.NotNil(t, securityContext.RunAsNonRoot)
+			assert.Equal(t, true, *securityContext.RunAsNonRoot)
+			require.NotNil(t, securityContext.RunAsUser)
+			assert.Equal(t, int64(1000), *securityContext.RunAsUser)
+			require.NotNil(t, securityContext.RunAsGroup)
+			assert.Equal(t, int64(1000), *securityContext.RunAsGroup)
+
+			return ctx
+		}).
+		Feature()
+
+	testenv.Test(t, deployment, deploymentSeccontext, deploymentTemplating, deploymentInitSeccontext)
 }
 
 func applyResource(builder *features.FeatureBuilder, file string) *features.FeatureBuilder {

diff --git a/pkg/webhook/pod.go b/pkg/webhook/pod.go
@@ -845,8 +845,6 @@ func getAgentContainers(originalContainers []corev1.Container, podSecurityContex
 func getBaseSecurityContext(podSecurityContext *corev1.PodSecurityContext, vaultConfig VaultConfig) *corev1.SecurityContext {
 	context := &corev1.SecurityContext{
 		AllowPrivilegeEscalation: &vaultConfig.PspAllowPrivilegeEscalation,
-		RunAsNonRoot:             &vaultConfig.RunAsNonRoot,
-		RunAsUser:                &vaultConfig.RunAsUser,
 		ReadOnlyRootFilesystem:   &vaultConfig.ReadOnlyRootFilesystem,
 		Capabilities: &corev1.Capabilities{
 			Add: []corev1.Capability{
@@ -866,6 +864,12 @@ func getBaseSecurityContext(podSecurityContext *corev1.PodSecurityContext, vault
 		context.RunAsUser = podSecurityContext.RunAsUser
 	}
 
+	// Although it could explicitly be set to false,
+	// the behavior of false and unset are the same
+	if vaultConfig.RunAsNonRoot {
+		context.RunAsNonRoot = &vaultConfig.RunAsNonRoot
+	}
+
 	if vaultConfig.RunAsUser > 0 {
 		context.RunAsUser = &vaultConfig.RunAsUser
 	}