From 21c57828a01b3736712621a196933c55d48a401a Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Mon, 6 Nov 2023 16:53:33 +0100 Subject: [PATCH 1/7] set securityContext for http-add-on chart Signed-off-by: Frank Kloeker --- http-add-on/Chart.yaml | 2 +- .../templates/interceptor/deployment.yaml | 14 +++ .../templates/operator/deployment.yaml | 23 ++++- http-add-on/templates/scaler/deployment.yaml | 14 +++ http-add-on/values.yaml | 87 +++++++++++++++++++ 5 files changed, 138 insertions(+), 2 deletions(-) diff --git a/http-add-on/Chart.yaml b/http-add-on/Chart.yaml index 8315e946..6dae5515 100644 --- a/http-add-on/Chart.yaml +++ b/http-add-on/Chart.yaml @@ -11,7 +11,7 @@ kubeVersion: ">=v1.23.0-0" # to the chart and its templates, including the app version. This is incremented at chart release time and does not need # to be included in any PRs to main. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.6.0 +version: 0.7.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/http-add-on/templates/interceptor/deployment.yaml b/http-add-on/templates/interceptor/deployment.yaml index c1a52311..20cd98b0 100644 --- a/http-add-on/templates/interceptor/deployment.yaml +++ b/http-add-on/templates/interceptor/deployment.yaml @@ -21,6 +21,13 @@ spec: imagePullSecrets: {{- toYaml .Values.interceptor.imagePullSecrets | nindent 8 }} serviceAccountName: {{ .Chart.Name }}-interceptor + {{- if .Values.podSecurityContext.interceptor }} + securityContext: + {{- toYaml .Values.podSecurityContext.interceptor | nindent 8 }} + {{- else }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} containers: - args: image: "{{ .Values.images.interceptor }}:{{ .Values.images.tag | default .Chart.AppVersion }}" @@ -60,6 +67,13 @@ spec: name: inter-proxy resources: {{- toYaml .Values.interceptor.resources | nindent 10 }} + {{- if .Values.securityContext.interceptor }} + securityContext: + {{- toYaml .Values.securityContext.interceptor | nindent 10 }} + {{- else }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} terminationGracePeriodSeconds: 10 nodeSelector: kubernetes.io/os: linux diff --git a/http-add-on/templates/operator/deployment.yaml b/http-add-on/templates/operator/deployment.yaml index 9a374592..61b76b33 100644 --- a/http-add-on/templates/operator/deployment.yaml +++ b/http-add-on/templates/operator/deployment.yaml @@ -21,6 +21,13 @@ spec: imagePullSecrets: {{- toYaml .Values.operator.imagePullSecrets | nindent 8 }} serviceAccountName: {{ .Chart.Name }} + {{- if .Values.podSecurityContext.operator }} + securityContext: + {{- toYaml .Values.podSecurityContext.operator | nindent 8 }} + {{- else }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} containers: - args: - --secure-listen-address=0.0.0.0:{{ .Values.operator.port | default 8443 }} @@ -28,6 +35,7 @@ spec: - --logtostderr=true - --v=10 image: "{{ .Values.images.kubeRbacProxy.name }}:{{ .Values.images.kubeRbacProxy.tag }}" + name: kube-rbac-proxy resources: limits: cpu: 300m @@ -35,7 +43,13 @@ spec: requests: cpu: 10m memory: 20Mi - name: kube-rbac-proxy + {{- if .Values.securityContext.kuberbacproxy }} + securityContext: + {{- toYaml .Values.securityContext.kuberbacproxy | nindent 10 }} + {{- else }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} - args: - --metrics-bind-address=127.0.0.1:8080 - --leader-elect @@ -66,6 +80,13 @@ spec: port: probes resources: {{- toYaml .Values.operator.resources | nindent 10 }} + {{- if .Values.securityContext.operator }} + securityContext: + {{- toYaml .Values.securityContext.operator | nindent 10 }} + {{- else }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} terminationGracePeriodSeconds: 10 nodeSelector: kubernetes.io/os: linux diff --git a/http-add-on/templates/scaler/deployment.yaml b/http-add-on/templates/scaler/deployment.yaml index 45289e80..7414990e 100644 --- a/http-add-on/templates/scaler/deployment.yaml +++ b/http-add-on/templates/scaler/deployment.yaml @@ -21,6 +21,13 @@ spec: imagePullSecrets: {{- toYaml .Values.scaler.imagePullSecrets | nindent 8 }} serviceAccountName: {{ .Chart.Name }}-external-scaler + {{- if .Values.podSecurityContext.scaler }} + securityContext: + {{- toYaml .Values.podSecurityContext.scaler | nindent 8 }} + {{- else }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} containers: - args: image: "{{ .Values.images.scaler }}:{{ .Values.images.tag | default .Chart.AppVersion }}" @@ -48,6 +55,13 @@ spec: value: "{{ .Values.scaler.streamInterval }}" resources: {{- toYaml .Values.scaler.resources | nindent 10 }} + {{- if .Values.securityContext.scaler }} + securityContext: + {{- toYaml .Values.securityContext.scaler | nindent 10 }} + {{- else }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + {{- end }} terminationGracePeriodSeconds: 10 nodeSelector: kubernetes.io/os: linux diff --git a/http-add-on/values.yaml b/http-add-on/values.yaml index d5619daa..0480d283 100644 --- a/http-add-on/values.yaml +++ b/http-add-on/values.yaml @@ -158,3 +158,90 @@ images: rbac: # -- Install aggregate roles for edit and view aggregateToDefaultRoles: false + +# -- [Security context] for all containers +# @default -- [See below](#KEDA-is-secure-by-default) +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsUser: 1000 + runAsGroup: 1000 + +podSecurityContext: + fsGroup: 1000 + supplementalGroups: + - 1000 + # -- [Security context] of the operator container + # @default -- [See below](#KEDA-is-secure-by-default) + # operator: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # -- [Security context] of the kuberbacproxy container + # @default -- [See below](#KEDA-is-secure-by-default) + # kuberbacproxy: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # -- [Security context] of the scaler container + # @default -- [See below](#KEDA-is-secure-by-default) + # scaler: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # -- [Security context] of the interceptor container + # @default -- [See below](#KEDA-is-secure-by-default) + # interceptor: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + +# -- [Pod security context] for all pods +# @default -- [See below](#KEDA-is-secure-by-default) +podSecurityContext: + fsGroup: 1000 + supplementalGroups: + - 1000 + # -- [Pod security context] of the KEDA operator pod + # @default -- [See below](#KEDA-is-secure-by-default) + # operator: + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + + # -- [Pod security context] of the KEDA scaler pod + # @default -- [See below](#KEDA-is-secure-by-default) + # scaler: + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + + # -- [Pod security context] of the KEDA interceptor pod + # @default -- [See below](#KEDA-is-secure-by-default) + # interceptor: + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 From c45fc737ff344480cbf93e2321e49e6096c58fae Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Tue, 7 Nov 2023 19:06:47 +0100 Subject: [PATCH 2/7] revert version Signed-off-by: Frank Kloeker --- http-add-on/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http-add-on/Chart.yaml b/http-add-on/Chart.yaml index 6dae5515..8315e946 100644 --- a/http-add-on/Chart.yaml +++ b/http-add-on/Chart.yaml @@ -11,7 +11,7 @@ kubeVersion: ">=v1.23.0-0" # to the chart and its templates, including the app version. This is incremented at chart release time and does not need # to be included in any PRs to main. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.7.0 +version: 0.6.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to From d3a0bfdeb97d81711a31073cdae0a844fce85491 Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Tue, 7 Nov 2023 19:45:03 +0100 Subject: [PATCH 3/7] add keda is default Signed-off-by: Frank Kloeker --- http-add-on/README.md | 55 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/http-add-on/README.md b/http-add-on/README.md index 0c529aa3..833696d5 100644 --- a/http-add-on/README.md +++ b/http-add-on/README.md @@ -92,7 +92,9 @@ their default values. | `images.operator` | string | `"ghcr.io/kedacore/http-add-on-operator"` | Image name for the operator image component | | `images.scaler` | string | `"ghcr.io/kedacore/http-add-on-scaler"` | Image name for the scaler image component | | `images.tag` | string | `""` | Image tag for the http add on. This tag is applied to the images listed in `images.operator`, `images.interceptor`, and `images.scaler`. Optional, given app version of Helm chart is used by default | +| `podSecurityContext` | object | [See below](#KEDA-is-secure-by-default) | [Pod security context] for all pods | | `rbac.aggregateToDefaultRoles` | bool | `false` | Install aggregate roles for edit and view | +| `securityContext` | object | [See below](#KEDA-is-secure-by-default) | [Security context] for all containers | ### Operator @@ -171,5 +173,58 @@ be provided while installing the chart. For example, helm install http-add-on kedacore/keda-add-ons-http --namespace keda -f values.yaml ``` +## KEDA is secure by default + +Our default configuration strives to be as secure as possible. Because of that, KEDA will run as non-root and be secure-by-default. You can define global securityContext for all components or switch to granular mode and define securityContext for operator, kuberbacproxy, scaler, and interceptor: +```yaml +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsUser: 1000 + runAsGroup: 1000 + # operator: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # kuberbacproxy: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # scaler: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # interceptor: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault +podSecurityContext: + fsGroup: 1000 + supplementalGroups: + - 1000 + # operator: + # runAsNonRoot: true +``` + ---------------------------------------------- Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs) From 993f904afa89e86d3007f331fe2e3028d18450bc Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Tue, 7 Nov 2023 19:48:16 +0100 Subject: [PATCH 4/7] fix values doc Signed-off-by: Frank Kloeker --- http-add-on/values.yaml | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/http-add-on/values.yaml b/http-add-on/values.yaml index 0480d283..cab94e6b 100644 --- a/http-add-on/values.yaml +++ b/http-add-on/values.yaml @@ -170,13 +170,6 @@ securityContext: readOnlyRootFilesystem: true runAsUser: 1000 runAsGroup: 1000 - -podSecurityContext: - fsGroup: 1000 - supplementalGroups: - - 1000 - # -- [Security context] of the operator container - # @default -- [See below](#KEDA-is-secure-by-default) # operator: # capabilities: # drop: @@ -185,8 +178,6 @@ podSecurityContext: # readOnlyRootFilesystem: true # seccompProfile: # type: RuntimeDefault - # -- [Security context] of the kuberbacproxy container - # @default -- [See below](#KEDA-is-secure-by-default) # kuberbacproxy: # capabilities: # drop: @@ -195,8 +186,6 @@ podSecurityContext: # readOnlyRootFilesystem: true # seccompProfile: # type: RuntimeDefault - # -- [Security context] of the scaler container - # @default -- [See below](#KEDA-is-secure-by-default) # scaler: # capabilities: # drop: @@ -205,8 +194,6 @@ podSecurityContext: # readOnlyRootFilesystem: true # seccompProfile: # type: RuntimeDefault - # -- [Security context] of the interceptor container - # @default -- [See below](#KEDA-is-secure-by-default) # interceptor: # capabilities: # drop: @@ -222,24 +209,16 @@ podSecurityContext: fsGroup: 1000 supplementalGroups: - 1000 - # -- [Pod security context] of the KEDA operator pod - # @default -- [See below](#KEDA-is-secure-by-default) # operator: # runAsNonRoot: true # runAsUser: 1000 # runAsGroup: 1000 # fsGroup: 1000 - - # -- [Pod security context] of the KEDA scaler pod - # @default -- [See below](#KEDA-is-secure-by-default) # scaler: # runAsNonRoot: true # runAsUser: 1000 # runAsGroup: 1000 # fsGroup: 1000 - - # -- [Pod security context] of the KEDA interceptor pod - # @default -- [See below](#KEDA-is-secure-by-default) # interceptor: # runAsNonRoot: true # runAsUser: 1000 From 52110a65fe9c18c4c19227c1ed25d4edeee5782a Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Tue, 7 Nov 2023 19:57:46 +0100 Subject: [PATCH 5/7] generate helm-docs Signed-off-by: Frank Kloeker --- http-add-on/README.md | 13 +++++++ http-add-on/README.md.gotmpl | 66 ++++++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+) diff --git a/http-add-on/README.md b/http-add-on/README.md index 833696d5..cabe24bb 100644 --- a/http-add-on/README.md +++ b/http-add-on/README.md @@ -224,6 +224,19 @@ podSecurityContext: - 1000 # operator: # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + # scaler: + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + # interceptor: + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 ``` ---------------------------------------------- diff --git a/http-add-on/README.md.gotmpl b/http-add-on/README.md.gotmpl index a2acc973..a262ccae 100644 --- a/http-add-on/README.md.gotmpl +++ b/http-add-on/README.md.gotmpl @@ -135,5 +135,71 @@ be provided while installing the chart. For example, helm install http-add-on kedacore/keda-add-ons-http --namespace keda -f values.yaml ``` +## KEDA is secure by default + +Our default configuration strives to be as secure as possible. Because of that, KEDA will run as non-root and be secure-by-default. You can define global securityContext for all components or switch to granular mode and define securityContext for operator, kuberbacproxy, scaler, and interceptor: +```yaml +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsUser: 1000 + runAsGroup: 1000 + # operator: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # kuberbacproxy: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # scaler: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # interceptor: + # capabilities: + # drop: + # - ALL + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault +podSecurityContext: + fsGroup: 1000 + supplementalGroups: + - 1000 + # operator: + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + # scaler: + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + # interceptor: + # runAsNonRoot: true + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 +``` + ---------------------------------------------- Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs) From 899ae15e988aef0be5a2fa9b5af7c39737907296 Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Tue, 28 Nov 2023 15:46:26 +0100 Subject: [PATCH 6/7] comment runtime user Signed-off-by: Frank Kloeker --- http-add-on/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/http-add-on/values.yaml b/http-add-on/values.yaml index cab94e6b..adb45bc7 100644 --- a/http-add-on/values.yaml +++ b/http-add-on/values.yaml @@ -168,8 +168,8 @@ securityContext: - ALL privileged: false readOnlyRootFilesystem: true - runAsUser: 1000 - runAsGroup: 1000 + # runAsUser: 1000 + # runAsGroup: 1000 # operator: # capabilities: # drop: From 78aa44936dbec399e4b4ee70307235c803ae0c05 Mon Sep 17 00:00:00 2001 From: Frank Kloeker Date: Tue, 28 Nov 2023 15:48:58 +0100 Subject: [PATCH 7/7] helm-docs Signed-off-by: Frank Kloeker --- http-add-on/README.md | 4 ++-- http-add-on/README.md.gotmpl | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/http-add-on/README.md b/http-add-on/README.md index cabe24bb..83835430 100644 --- a/http-add-on/README.md +++ b/http-add-on/README.md @@ -184,8 +184,8 @@ securityContext: - ALL privileged: false readOnlyRootFilesystem: true - runAsUser: 1000 - runAsGroup: 1000 + # runAsUser: 1000 + # runAsGroup: 1000 # operator: # capabilities: # drop: diff --git a/http-add-on/README.md.gotmpl b/http-add-on/README.md.gotmpl index a262ccae..eae5d371 100644 --- a/http-add-on/README.md.gotmpl +++ b/http-add-on/README.md.gotmpl @@ -146,8 +146,8 @@ securityContext: - ALL privileged: false readOnlyRootFilesystem: true - runAsUser: 1000 - runAsGroup: 1000 + # runAsUser: 1000 + # runAsGroup: 1000 # operator: # capabilities: # drop: