From 9681ee8398e0f3128b1393a12ac4be2b7fc89341 Mon Sep 17 00:00:00 2001 From: nadeem Date: Fri, 23 Feb 2024 06:23:08 +0000 Subject: [PATCH] Updating GOVUK generic chart to be PSS restricted compliant. Adding seccomp defaults drop all capabilities within running containers Currently deploying application using the current chart will give the following warnings results: Warning: would violate PodSecurity "restricted:latest": unrestricted capabilities (containers "app", "nginx" must set securityContext.capabilities.drop=["ALL"]) deployment.apps/transition-pss created Warning: would violate PodSecurity "restricted:latest": unrestricted capabilities (container "worker" must set securityContext.capabilities.drop=["ALL"]) deployment.apps/transition-pss-worker created Warning: would violate PodSecurity "restricted:latest": unrestricted capabilities (containers "copy-assets-for-upload", "upload-assets" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or containers "copy-assets-for-upload", "upload-assets" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") job.batch/transition-pss-upload-assets created Warning: would violate PodSecurity "restricted:latest": unrestricted capabilities (container "dbmigrate" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "dbmigrate" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") After the applied changes the results are: deployment.apps/transition-pss created deployment.apps/transition-pss-worker created job.batch/transition-pss-upload-assets created job.batch/transition-pss-dbmigrate created Warnings are corrected. All apps will need to be tested to ensure that the chnages do not cause any issues - i have tested one app which came up without errors, neverthless this will need to be rolled out to Integration and staging to discover issues. --- charts/generic-govuk-app/templates/assets-upload-job.yaml | 6 ++++++ charts/generic-govuk-app/templates/dbmigration-job.yaml | 4 ++++ charts/generic-govuk-app/templates/deployment.yaml | 6 ++++++ charts/generic-govuk-app/templates/worker-deployment.yaml | 4 ++++ 4 files changed, 20 insertions(+) diff --git a/charts/generic-govuk-app/templates/assets-upload-job.yaml b/charts/generic-govuk-app/templates/assets-upload-job.yaml index e7907eac3ab..d9fd7e0b39e 100644 --- a/charts/generic-govuk-app/templates/assets-upload-job.yaml +++ b/charts/generic-govuk-app/templates/assets-upload-job.yaml @@ -21,6 +21,8 @@ spec: automountServiceAccountToken: false enableServiceLinks: false securityContext: + seccompProfile: + type: RuntimeDefault runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }} runAsUser: {{ .Values.securityContext.runAsUser }} runAsGroup: {{ .Values.securityContext.runAsGroup }} @@ -38,6 +40,8 @@ spec: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] containers: - name: upload-assets image: 172025368201.dkr.ecr.eu-west-1.amazonaws.com/github-cli:latest @@ -55,6 +59,8 @@ spec: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] restartPolicy: Never volumes: - name: assets-to-upload diff --git a/charts/generic-govuk-app/templates/dbmigration-job.yaml b/charts/generic-govuk-app/templates/dbmigration-job.yaml index 97e6ef790a1..cbb0083ff5a 100644 --- a/charts/generic-govuk-app/templates/dbmigration-job.yaml +++ b/charts/generic-govuk-app/templates/dbmigration-job.yaml @@ -26,6 +26,8 @@ spec: automountServiceAccountToken: false enableServiceLinks: false securityContext: + seccompProfile: + type: RuntimeDefault fsGroup: {{ .Values.securityContext.runAsGroup }} runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }} runAsUser: {{ .Values.securityContext.runAsUser }} @@ -65,6 +67,8 @@ spec: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] volumeMounts: - name: app-tmp mountPath: /tmp diff --git a/charts/generic-govuk-app/templates/deployment.yaml b/charts/generic-govuk-app/templates/deployment.yaml index 4fd88ae0e8d..3229fb36994 100644 --- a/charts/generic-govuk-app/templates/deployment.yaml +++ b/charts/generic-govuk-app/templates/deployment.yaml @@ -28,6 +28,8 @@ spec: automountServiceAccountToken: false enableServiceLinks: false securityContext: + seccompProfile: + type: RuntimeDefault fsGroup: {{ .Values.securityContext.runAsGroup }} runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }} runAsUser: {{ .Values.securityContext.runAsUser }} @@ -122,6 +124,8 @@ spec: securityContext: allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation }} readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] volumeMounts: - name: app-tmp mountPath: /tmp @@ -157,6 +161,8 @@ spec: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] volumeMounts: - name: {{ .Values.nginxConfigMap.name | default (printf "%s-nginx-conf" $fullName) }} mountPath: /etc/nginx/nginx.conf diff --git a/charts/generic-govuk-app/templates/worker-deployment.yaml b/charts/generic-govuk-app/templates/worker-deployment.yaml index c0976d24870..ab5d18d394e 100644 --- a/charts/generic-govuk-app/templates/worker-deployment.yaml +++ b/charts/generic-govuk-app/templates/worker-deployment.yaml @@ -26,6 +26,8 @@ spec: automountServiceAccountToken: false enableServiceLinks: false securityContext: + seccompProfile: + type: RuntimeDefault fsGroup: {{ .Values.securityContext.runAsGroup }} runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }} runAsUser: {{ .Values.securityContext.runAsUser }} @@ -80,6 +82,8 @@ spec: securityContext: allowPrivilegeEscalation: {{ $.Values.securityContext.allowPrivilegeEscalation }} readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] volumeMounts: - name: app-tmp mountPath: /tmp