set securityContext for http-add-on chart (kedacore#561)

Co-authored-by: Tom Kerkhove <[email protected]> Signed-off-by: guicholeo <[email protected]>
guicholeo · Jan 16, 2024 · 4b1fc97 · 4b1fc97
1 parent 5233455
commit 4b1fc97
Show file tree

Hide file tree

Showing 6 changed files with 250 additions and 1 deletion.
diff --git a/http-add-on/README.md b/http-add-on/README.md
@@ -92,7 +92,9 @@ their default values.
 | `images.operator` | string | `"ghcr.io/kedacore/http-add-on-operator"` | Image name for the operator image component |
 | `images.scaler` | string | `"ghcr.io/kedacore/http-add-on-scaler"` | Image name for the scaler image component |
 | `images.tag` | string | `""` | Image tag for the http add on. This tag is applied to the images listed in `images.operator`, `images.interceptor`, and `images.scaler`. Optional, given app version of Helm chart is used by default |
+| `podSecurityContext` | object | [See below](#KEDA-is-secure-by-default) | [Pod security context] for all pods |
 | `rbac.aggregateToDefaultRoles` | bool | `false` | Install aggregate roles for edit and view |
+| `securityContext` | object | [See below](#KEDA-is-secure-by-default) | [Security context] for all containers |
 
 ### Operator
 
@@ -171,5 +173,71 @@ be provided while installing the chart. For example,
 helm install http-add-on kedacore/keda-add-ons-http --namespace keda -f values.yaml
 ```
 
+## KEDA is secure by default
+
+Our default configuration strives to be as secure as possible. Because of that, KEDA will run as non-root and be secure-by-default. You can define global securityContext for all components or switch to granular mode and define securityContext for operator, kuberbacproxy, scaler, and interceptor:
+```yaml
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  privileged: false
+  readOnlyRootFilesystem: true
+  # runAsUser: 1000
+  # runAsGroup: 1000
+  # operator:
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # allowPrivilegeEscalation: false
+    # readOnlyRootFilesystem: true
+    # seccompProfile:
+    #   type: RuntimeDefault
+  # kuberbacproxy:
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # allowPrivilegeEscalation: false
+    # readOnlyRootFilesystem: true
+    # seccompProfile:
+    #   type: RuntimeDefault
+  # scaler:
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # allowPrivilegeEscalation: false
+    # readOnlyRootFilesystem: true
+    # seccompProfile:
+    #   type: RuntimeDefault
+  # interceptor:
+    # capabilities:
+    #  drop:
+    #  - ALL
+    # allowPrivilegeEscalation: false
+    # readOnlyRootFilesystem: true
+    # seccompProfile:
+    #   type: RuntimeDefault
+podSecurityContext:
+  fsGroup: 1000
+  supplementalGroups:
+  - 1000
+  # operator:
+    # runAsNonRoot: true
+    # runAsUser: 1000
+    # runAsGroup: 1000
+    # fsGroup: 1000
+  # scaler:
+    # runAsNonRoot: true
+    # runAsUser: 1000
+    # runAsGroup: 1000
+    # fsGroup: 1000
+  # interceptor:
+    # runAsNonRoot: true
+    # runAsUser: 1000
+    # runAsGroup: 1000
+    # fsGroup: 1000
+```
+
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs)
diff --git a/http-add-on/README.md.gotmpl b/http-add-on/README.md.gotmpl
@@ -135,5 +135,71 @@ be provided while installing the chart. For example,
 helm install http-add-on kedacore/keda-add-ons-http --namespace keda -f values.yaml
 ```
 
+## KEDA is secure by default
+
+Our default configuration strives to be as secure as possible. Because of that, KEDA will run as non-root and be secure-by-default. You can define global securityContext for all components or switch to granular mode and define securityContext for operator, kuberbacproxy, scaler, and interceptor:
+```yaml
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  privileged: false
+  readOnlyRootFilesystem: true
+  # runAsUser: 1000
+  # runAsGroup: 1000
+  # operator:
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # allowPrivilegeEscalation: false
+    # readOnlyRootFilesystem: true
+    # seccompProfile:
+    #   type: RuntimeDefault
+  # kuberbacproxy:
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # allowPrivilegeEscalation: false
+    # readOnlyRootFilesystem: true
+    # seccompProfile:
+    #   type: RuntimeDefault
+  # scaler:
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # allowPrivilegeEscalation: false
+    # readOnlyRootFilesystem: true
+    # seccompProfile:
+    #   type: RuntimeDefault
+  # interceptor:
+    # capabilities:
+    #  drop:
+    #  - ALL
+    # allowPrivilegeEscalation: false
+    # readOnlyRootFilesystem: true
+    # seccompProfile:
+    #   type: RuntimeDefault
+podSecurityContext:
+  fsGroup: 1000
+  supplementalGroups:
+  - 1000
+  # operator:
+    # runAsNonRoot: true
+    # runAsUser: 1000
+    # runAsGroup: 1000
+    # fsGroup: 1000
+  # scaler:
+    # runAsNonRoot: true
+    # runAsUser: 1000
+    # runAsGroup: 1000
+    # fsGroup: 1000
+  # interceptor:
+    # runAsNonRoot: true
+    # runAsUser: 1000
+    # runAsGroup: 1000
+    # fsGroup: 1000
+```
+
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs)
diff --git a/http-add-on/templates/interceptor/deployment.yaml b/http-add-on/templates/interceptor/deployment.yaml
@@ -21,6 +21,13 @@ spec:
       imagePullSecrets: 
         {{- toYaml .Values.interceptor.imagePullSecrets | nindent 8 }}
       serviceAccountName: {{ .Chart.Name }}-interceptor
+      {{- if .Values.podSecurityContext.interceptor }}
+      securityContext:
+      {{- toYaml .Values.podSecurityContext.interceptor | nindent 8 }}
+      {{- else }}
+      securityContext:
+      {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- end }}
       containers:
       - args:
         image: "{{ .Values.images.interceptor }}:{{ .Values.images.tag | default .Chart.AppVersion }}"
@@ -60,6 +67,13 @@ spec:
           name: inter-proxy
         resources:
           {{- toYaml .Values.interceptor.resources | nindent 10 }}
+        {{- if .Values.securityContext.interceptor }}
+        securityContext:
+        {{- toYaml .Values.securityContext.interceptor | nindent 10 }}
+        {{- else }}
+        securityContext:
+        {{- toYaml .Values.securityContext | nindent 10 }}
+        {{- end }}
       terminationGracePeriodSeconds: 10
       nodeSelector:
         kubernetes.io/os: linux

diff --git a/http-add-on/templates/operator/deployment.yaml b/http-add-on/templates/operator/deployment.yaml
@@ -21,21 +21,35 @@ spec:
       imagePullSecrets: 
         {{- toYaml .Values.operator.imagePullSecrets | nindent 8 }}
       serviceAccountName: {{ .Chart.Name }}
+      {{- if .Values.podSecurityContext.operator }}
+      securityContext:
+      {{- toYaml .Values.podSecurityContext.operator | nindent 8 }}
+      {{- else }}
+      securityContext:
+      {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- end }}
       containers:
       - args:
         - --secure-listen-address=0.0.0.0:{{ .Values.operator.port | default 8443 }}
         - --upstream=http://127.0.0.1:8080/
         - --logtostderr=true
         - --v=10
         image: "{{ .Values.images.kubeRbacProxy.name }}:{{ .Values.images.kubeRbacProxy.tag }}"
+        name: kube-rbac-proxy
         resources:
             limits:
               cpu: 300m
               memory: 200Mi
             requests:
               cpu: 10m
               memory: 20Mi
-        name: kube-rbac-proxy
+        {{- if .Values.securityContext.kuberbacproxy }}
+        securityContext:
+        {{- toYaml .Values.securityContext.kuberbacproxy | nindent 10 }}
+        {{- else }}
+        securityContext:
+        {{- toYaml .Values.securityContext | nindent 10 }}
+        {{- end }}
       - args:
         - --metrics-bind-address=127.0.0.1:8080
         - --leader-elect
@@ -66,6 +80,13 @@ spec:
             port: probes
         resources:
           {{- toYaml .Values.operator.resources | nindent 10 }}
+        {{- if .Values.securityContext.operator }}
+        securityContext:
+        {{- toYaml .Values.securityContext.operator | nindent 10 }}
+        {{- else }}
+        securityContext:
+        {{- toYaml .Values.securityContext | nindent 10 }}
+        {{- end }}
       terminationGracePeriodSeconds: 10
       nodeSelector:
         kubernetes.io/os: linux

diff --git a/http-add-on/templates/scaler/deployment.yaml b/http-add-on/templates/scaler/deployment.yaml
@@ -21,6 +21,13 @@ spec:
       imagePullSecrets: 
         {{- toYaml .Values.scaler.imagePullSecrets | nindent 8 }}
       serviceAccountName: {{ .Chart.Name }}-external-scaler
+      {{- if .Values.podSecurityContext.scaler }}
+      securityContext:
+      {{- toYaml .Values.podSecurityContext.scaler | nindent 8 }}
+      {{- else }}
+      securityContext:
+      {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- end }}
       containers:
       - args:
         image: "{{ .Values.images.scaler }}:{{ .Values.images.tag | default .Chart.AppVersion }}"
@@ -48,6 +55,13 @@ spec:
           value: "{{ .Values.scaler.streamInterval }}"
         resources:
           {{- toYaml .Values.scaler.resources | nindent 10 }}
+        {{- if .Values.securityContext.scaler }}
+        securityContext:
+        {{- toYaml .Values.securityContext.scaler | nindent 10 }}
+        {{- else }}
+        securityContext:
+        {{- toYaml .Values.securityContext | nindent 10 }}
+        {{- end }}
       terminationGracePeriodSeconds: 10
       nodeSelector:
         kubernetes.io/os: linux

diff --git a/http-add-on/values.yaml b/http-add-on/values.yaml
@@ -158,3 +158,69 @@ images:
 rbac:
   # -- Install aggregate roles for edit and view
   aggregateToDefaultRoles: false
+
+# -- [Security context] for all containers
+# @default -- [See below](#KEDA-is-secure-by-default)
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  privileged: false
+  readOnlyRootFilesystem: true
+  # runAsUser: 1000
+  # runAsGroup: 1000
+  # operator:
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # allowPrivilegeEscalation: false
+    # readOnlyRootFilesystem: true
+    # seccompProfile:
+    #   type: RuntimeDefault
+  # kuberbacproxy:
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # allowPrivilegeEscalation: false
+    # readOnlyRootFilesystem: true
+    # seccompProfile:
+    #   type: RuntimeDefault
+  # scaler:
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # allowPrivilegeEscalation: false
+    # readOnlyRootFilesystem: true
+    # seccompProfile:
+    #   type: RuntimeDefault
+  # interceptor:
+    # capabilities:
+    #  drop:
+    #  - ALL
+    # allowPrivilegeEscalation: false
+    # readOnlyRootFilesystem: true
+    # seccompProfile:
+    #   type: RuntimeDefault
+
+# --  [Pod security context] for all pods
+# @default -- [See below](#KEDA-is-secure-by-default)
+podSecurityContext:
+  fsGroup: 1000
+  supplementalGroups:
+  - 1000
+  # operator:
+    # runAsNonRoot: true
+    # runAsUser: 1000
+    # runAsGroup: 1000
+    # fsGroup: 1000
+  # scaler:
+    # runAsNonRoot: true
+    # runAsUser: 1000
+    # runAsGroup: 1000
+    # fsGroup: 1000
+  # interceptor:
+    # runAsNonRoot: true
+    # runAsUser: 1000
+    # runAsGroup: 1000
+    # fsGroup: 1000