From 4b1fc97fd6d816ace86f4df10065d55ec118f7d8 Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Sun, 3 Dec 2023 23:15:46 +0100 Subject: [PATCH] set securityContext for http-add-on chart (#561) Co-authored-by: Tom Kerkhove Signed-off-by: guicholeo --- http-add-on/README.md | 68 +++++++++++++++++++ http-add-on/README.md.gotmpl | 66 ++++++++++++++++++ .../templates/interceptor/deployment.yaml | 14 ++++ .../templates/operator/deployment.yaml | 23 ++++++- http-add-on/templates/scaler/deployment.yaml | 14 ++++ http-add-on/values.yaml | 66 ++++++++++++++++++ 6 files changed, 250 insertions(+), 1 deletion(-) diff --git a/http-add-on/README.md b/http-add-on/README.md index 0c529aa3..83835430 100644 --- a/http-add-on/README.md +++ b/http-add-on/README.md @@ -92,7 +92,9 @@ their default values. | `images.operator` | string | `"ghcr.io/kedacore/http-add-on-operator"` | Image name for the operator image component | | `images.scaler` | string | `"ghcr.io/kedacore/http-add-on-scaler"` | Image name for the scaler image component | | `images.tag` | string | `""` | Image tag for the http add on. This tag is applied to the images listed in `images.operator`, `images.interceptor`, and `images.scaler`. Optional, given app version of Helm chart is used by default | +| `podSecurityContext` | object | [See below](#KEDA-is-secure-by-default) | [Pod security context] for all pods | | `rbac.aggregateToDefaultRoles` | bool | `false` | Install aggregate roles for edit and view | +| `securityContext` | object | [See below](#KEDA-is-secure-by-default) | [Security context] for all containers | ### Operator @@ -171,5 +173,71 @@ be provided while installing the chart. For example, helm install http-add-on kedacore/keda-add-ons-http --namespace keda -f values.yaml ``` +## KEDA is secure by default + +Our default configuration strives to be as secure as possible. Because of that, KEDA will run as non-root and be secure-by-default. You can define global securityContext for all components or switch to granular mode and define securityContext for operator, kuberbacproxy, scaler, and interceptor: +```yaml +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + # runAsUser: 1000 + # runAsGroup: 1000 + # operator: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # kuberbacproxy: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # scaler: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # interceptor: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault +podSecurityContext: + fsGroup: 1000 + supplementalGroups: + - 1000 + # operator: + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + # scaler: + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + # interceptor: + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 +``` + ---------------------------------------------- Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs) diff --git a/http-add-on/README.md.gotmpl b/http-add-on/README.md.gotmpl index a2acc973..eae5d371 100644 --- a/http-add-on/README.md.gotmpl +++ b/http-add-on/README.md.gotmpl @@ -135,5 +135,71 @@ be provided while installing the chart. For example, helm install http-add-on kedacore/keda-add-ons-http --namespace keda -f values.yaml ``` +## KEDA is secure by default + +Our default configuration strives to be as secure as possible. Because of that, KEDA will run as non-root and be secure-by-default. You can define global securityContext for all components or switch to granular mode and define securityContext for operator, kuberbacproxy, scaler, and interceptor: +```yaml +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + # runAsUser: 1000 + # runAsGroup: 1000 + # operator: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # kuberbacproxy: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # scaler: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # interceptor: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault +podSecurityContext: + fsGroup: 1000 + supplementalGroups: + - 1000 + # operator: + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + # scaler: + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + # interceptor: + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 +``` + ---------------------------------------------- Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs) diff --git a/http-add-on/templates/interceptor/deployment.yaml b/http-add-on/templates/interceptor/deployment.yaml index c1a52311..20cd98b0 100644 --- a/http-add-on/templates/interceptor/deployment.yaml +++ b/http-add-on/templates/interceptor/deployment.yaml @@ -21,6 +21,13 @@ spec: imagePullSecrets: {{- toYaml .Values.interceptor.imagePullSecrets | nindent 8 }} serviceAccountName: {{ .Chart.Name }}-interceptor + {{- if .Values.podSecurityContext.interceptor }} + securityContext: + {{- toYaml .Values.podSecurityContext.interceptor | nindent 8 }} + {{- else }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} containers: - args: image: "{{ .Values.images.interceptor }}:{{ .Values.images.tag | default .Chart.AppVersion }}" @@ -60,6 +67,13 @@ spec: name: inter-proxy resources: {{- toYaml .Values.interceptor.resources | nindent 10 }} + {{- if .Values.securityContext.interceptor }} + securityContext: + {{- toYaml .Values.securityContext.interceptor | nindent 10 }} + {{- else }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} terminationGracePeriodSeconds: 10 nodeSelector: kubernetes.io/os: linux diff --git a/http-add-on/templates/operator/deployment.yaml b/http-add-on/templates/operator/deployment.yaml index 9a374592..61b76b33 100644 --- a/http-add-on/templates/operator/deployment.yaml +++ b/http-add-on/templates/operator/deployment.yaml @@ -21,6 +21,13 @@ spec: imagePullSecrets: {{- toYaml .Values.operator.imagePullSecrets | nindent 8 }} serviceAccountName: {{ .Chart.Name }} + {{- if .Values.podSecurityContext.operator }} + securityContext: + {{- toYaml .Values.podSecurityContext.operator | nindent 8 }} + {{- else }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} containers: - args: - --secure-listen-address=0.0.0.0:{{ .Values.operator.port | default 8443 }} @@ -28,6 +35,7 @@ spec: - --logtostderr=true - --v=10 image: "{{ .Values.images.kubeRbacProxy.name }}:{{ .Values.images.kubeRbacProxy.tag }}" + name: kube-rbac-proxy resources: limits: cpu: 300m @@ -35,7 +43,13 @@ spec: requests: cpu: 10m memory: 20Mi - name: kube-rbac-proxy + {{- if .Values.securityContext.kuberbacproxy }} + securityContext: + {{- toYaml .Values.securityContext.kuberbacproxy | nindent 10 }} + {{- else }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} - args: - --metrics-bind-address=127.0.0.1:8080 - --leader-elect @@ -66,6 +80,13 @@ spec: port: probes resources: {{- toYaml .Values.operator.resources | nindent 10 }} + {{- if .Values.securityContext.operator }} + securityContext: + {{- toYaml .Values.securityContext.operator | nindent 10 }} + {{- else }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} terminationGracePeriodSeconds: 10 nodeSelector: kubernetes.io/os: linux diff --git a/http-add-on/templates/scaler/deployment.yaml b/http-add-on/templates/scaler/deployment.yaml index 45289e80..7414990e 100644 --- a/http-add-on/templates/scaler/deployment.yaml +++ b/http-add-on/templates/scaler/deployment.yaml @@ -21,6 +21,13 @@ spec: imagePullSecrets: {{- toYaml .Values.scaler.imagePullSecrets | nindent 8 }} serviceAccountName: {{ .Chart.Name }}-external-scaler + {{- if .Values.podSecurityContext.scaler }} + securityContext: + {{- toYaml .Values.podSecurityContext.scaler | nindent 8 }} + {{- else }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} containers: - args: image: "{{ .Values.images.scaler }}:{{ .Values.images.tag | default .Chart.AppVersion }}" @@ -48,6 +55,13 @@ spec: value: "{{ .Values.scaler.streamInterval }}" resources: {{- toYaml .Values.scaler.resources | nindent 10 }} + {{- if .Values.securityContext.scaler }} + securityContext: + {{- toYaml .Values.securityContext.scaler | nindent 10 }} + {{- else }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} terminationGracePeriodSeconds: 10 nodeSelector: kubernetes.io/os: linux diff --git a/http-add-on/values.yaml b/http-add-on/values.yaml index d5619daa..adb45bc7 100644 --- a/http-add-on/values.yaml +++ b/http-add-on/values.yaml @@ -158,3 +158,69 @@ images: rbac: # -- Install aggregate roles for edit and view aggregateToDefaultRoles: false + +# -- [Security context] for all containers +# @default -- [See below](#KEDA-is-secure-by-default) +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + # runAsUser: 1000 + # runAsGroup: 1000 + # operator: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # kuberbacproxy: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # scaler: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # interceptor: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + +# -- [Pod security context] for all pods +# @default -- [See below](#KEDA-is-secure-by-default) +podSecurityContext: + fsGroup: 1000 + supplementalGroups: + - 1000 + # operator: + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + # scaler: + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + # interceptor: + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000