From 7b04b4470684fe4746a6980b5f54fc80dd2c91a6 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Tue, 18 Jan 2022 18:01:46 +0000 Subject: [PATCH 1/2] security: Drop capabilities and enable seccomp Further restricts the SecurityContext that the controller runs under, by enabling the default seccomp profile and dropping all linux capabilities. This was set at container-level to ensure backwards compatibility with use cases in which sidecars are injected into the source-controller pod without setting less restrictive settings. BREAKING CHANGE: The use of new seccomp API requires Kubernetes 1.19. Co-authored-by: Sanskar Jaiswal Signed-off-by: Paulo Gomes --- Dockerfile | 4 ++-- config/manager/deployment.yaml | 8 ++++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6ef34d251..46ada8702 100644 --- a/Dockerfile +++ b/Dockerfile @@ -91,8 +91,8 @@ FROM debian:bookworm-slim as controller LABEL org.opencontainers.image.source="https://github.com/fluxcd/source-controller" # Configure user -RUN groupadd controller && \ - useradd --gid controller --shell /bin/sh --create-home controller +RUN addgroup --gid 65532 controller && \ + useradd -u 65532 -s /sbin/nologin -g controller controller ARG TARGETPLATFORM RUN apt update && apt install -y ca-certificates diff --git a/config/manager/deployment.yaml b/config/manager/deployment.yaml index c3c59047d..debaf6de9 100644 --- a/config/manager/deployment.yaml +++ b/config/manager/deployment.yaml @@ -20,9 +20,9 @@ spec: prometheus.io/port: "8080" spec: terminationGracePeriodSeconds: 10 - # Required for AWS IAM Role bindings - # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html securityContext: + # Required for AWS IAM Role bindings + # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html fsGroup: 1337 containers: - name: manager @@ -31,6 +31,10 @@ spec: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true + capabilities: + drop: [ "ALL" ] + seccompProfile: + type: RuntimeDefault ports: - containerPort: 9090 name: http From 9ba76a1f949bb262e005aabd3385b20dee0244ec Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Tue, 18 Jan 2022 18:05:47 +0000 Subject: [PATCH 2/2] Enforce runAsNonRoot BREAKING CHANGE: the controller container is now executed under 65534:65534 (userid:groupid). This change may break deployments that hard-coded the user name 'controller' in their PodSecurityPolicy. Signed-off-by: Paulo Gomes --- Dockerfile | 6 +----- config/manager/deployment.yaml | 1 + 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 46ada8702..4484efb50 100644 --- a/Dockerfile +++ b/Dockerfile @@ -90,10 +90,6 @@ FROM debian:bookworm-slim as controller # Link repo to the GitHub Container Registry image LABEL org.opencontainers.image.source="https://github.com/fluxcd/source-controller" -# Configure user -RUN addgroup --gid 65532 controller && \ - useradd -u 65532 -s /sbin/nologin -g controller controller - ARG TARGETPLATFORM RUN apt update && apt install -y ca-certificates @@ -102,5 +98,5 @@ COPY --from=build /workspace/source-controller /usr/local/bin/ COPY --from=libgit2-bullseye /libgit2/built-on-glibc-version / COPY ATTRIBUTIONS.md / -USER controller +USER 65534:65534 ENTRYPOINT [ "source-controller" ] diff --git a/config/manager/deployment.yaml b/config/manager/deployment.yaml index debaf6de9..2a3fe0218 100644 --- a/config/manager/deployment.yaml +++ b/config/manager/deployment.yaml @@ -31,6 +31,7 @@ spec: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true + runAsNonRoot: true capabilities: drop: [ "ALL" ] seccompProfile: