Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop capabilities, enable seccomp and enforce runAsNonRoot #295

Merged
merged 1 commit into from
Jan 20, 2022
Merged

Drop capabilities, enable seccomp and enforce runAsNonRoot #295

merged 1 commit into from
Jan 20, 2022

Conversation

aryan9600
Copy link
Member

Further restricts the SecurityContext that the controller runs under, by enabling the default seccomp profile and dropping all linux capabilities.
This was set at container-level to ensure backwards compatibility with use cases in which sidecars are injected into the source-controller pod
without setting less restrictive settings.
Add a uid and gid for the container to enforce runAsNonRoot and ensure
the use of non root users.

Ref: fluxcd/flux2#2014

BREAKING CHANGES:

  1. The use of new seccomp API requires Kubernetes 1.19.
  2. the controller container is now executed under 65534:65534 (userid:groupid).
    This change may break deployments that hard-coded the user name 'controller' in their PodSecurityPolicy.

Signed-off-by: Sanskar Jaiswal sanskar.jaiswal@weave.works
Co-authored-by: Paulo Gomes paulo.gomes@weave.works

@aryan9600
drop capabilities, enable seccomp and enforce runAsNonRoot
888b39a 
Further restricts the SecurityContext that the controller runs under, by enabling the default seccomp profile and dropping all linux capabilities.
This was set at container-level to ensure backwards compatibility with use cases in which sidecars are injected into the source-controller pod
without setting less restrictive settings.
Add a uid and gid for the container to enforce runAsNonRoot and ensure
the use of non root users.

BREAKING CHANGES:
1) The use of new seccomp API requires Kubernetes 1.19.
2) the controller container is now executed under 65534:65534 (userid:groupid).
   This change may break deployments that hard-coded the user name 'controller' in their PodSecurityPolicy.

Signed-off-by: Sanskar Jaiswal <sanskar.jaiswal@weave.works>
Co-authored-by: Paulo Gomes <paulo.gomes@weave.works>
@aryan9600
Copy link
Member Author

aryan9600 commented Jan 20, 2022
edited
Loading

This was tested on Kubernetes 1.23.1 with restrict "pod security" (below) and it worked as expected.

apiVersion: v1
kind: Namespace
metadata:
  name: image-automation-system
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: latest

@stefanprodan stefanprodan added the area/ci CI related issues and pull requests label Jan 20, 2022
@stefanprodan stefanprodan merged commit aa7a24e into fluxcd:main Jan 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees
No one assigned
Labels
area/ci CI related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aryan9600 @stefanprodan