Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Namespace does not have PSS level assigned #40

Closed
uri-peled-unit opened this issue Jan 14, 2024 · 7 comments · Fixed by #41
Closed

Namespace does not have PSS level assigned #40

uri-peled-unit opened this issue Jan 14, 2024 · 7 comments · Fixed by #41

Comments

@uri-peled-unit
Copy link

Issue Summary

I have noticed that the Helm chart is missing the necessary annotations for PodSecurityPolicy enforcement.

Problem Description

The Helm chart is missing the following annotations in the pod template:

annotations:
  pod-security.kubernetes.io/enforce: "restricted"

This annotation is crucial for enforcing the PodSecurityPolicy "restricted" on the pods, and its absence may lead to security concerns.

Steps to Reproduce

  1. Install the Helm chart with the specified version.
  2. Observe the absence of the mentioned annotations in the deployed pods.

Expected Behavior

I expected the Helm chart to include the necessary annotations in the pod template out of the box, specifically:

annotations:
  pod-security.kubernetes.io/enforce: "restricted"

Proposed Solution

It would be beneficial if the Helm chart could be updated to include the missing annotations for proper PodSecurityPolicy enforcement.

Enforcing the pod-security.kubernetes.io/enforce: "restricted" annotation in Kubernetes is important for several reasons:

  1. Security Compliance: Ensures compliance with security best practices and organizational policies.

  2. Least Privilege: Follows the principle of least privilege, limiting pod permissions to minimize security risks.

  3. Preventing Escalation: Mitigates the risk of privilege escalation within containers.

  4. Defense in Depth: Adds an extra layer of defense to the Kubernetes cluster.

  5. Risk Reduction: Reduces the risk of security vulnerabilities and exploits.

  6. Organizational Alignment: Aligns workloads with organizational security policies.

  7. Cluster Hardening: Contributes to the overall security hardening of the Kubernetes cluster.

  8. Auditing and Monitoring: Facilitates auditing and monitoring of security configurations.

Thank you for your attention to this matter.
@linear Linear
Copy link

linear bot commented Jan 14, 2024

OSS-1 Namespace does not have PSS level assigned

@ekampf
Copy link
Contributor

ekampf commented Jan 16, 2024

Hey @uri-peled-unit ,
Thanks for the feedback!
You can add said annotations to the connector pods using .Values.podAnnotations (see

helm-charts/stable/connector/values.yaml

Line 32 in ad95bae

podAnnotations: {}
)

Will discuss with team on wether we want to include this annotation by default.
Aren't these annotations better applied on namespaces or cluster level?

@uri-peled-unit
Copy link
Author

uri-peled-unit commented Jan 16, 2024 via email

@ekampf
Copy link
Contributor

ekampf commented Jan 16, 2024

@uri-peled-unit I tried testing it and I'm not sure this annotation even works on the pod level? didnt work for me...
But when setting it on my namespace I did get a bunch of errors to connectors so we need to look into fixing those to make the container compatible with "restricted" mode

@uri-peled-unit
Copy link
Author

uri-peled-unit commented Jan 16, 2024 via email

@Yaronsohn
Copy link

Hey @uri-peled-unit,

The most common source of vulnerabilities within images are the libraries and executables that an image contains.
The more you have the more likely you will have to update the image often.
Moreover, the more executables in the image the more likely an attacker might be able to break the sandbox.

Our approach is to keep the image code footprint as small as possible to avoid the aforementioned.
This is a double edge sword, as it also limits what we can do.
Because the connector does need permission to access some of the resources in the container (which a normal user might not have the access) performing the fine tuning will require more libraries and executables to be included and that negates our lean image approach.

Because the Kubernetes runtime enforces a sandbox environment anyway, a solution where you have a root that can not do anything is more secure than a normal user that has all the tools in his disposal.

I'll be happy to discuss this further.

@ekampf
Copy link
Contributor

ekampf commented Jan 22, 2024

@uri-peled-unit we're testing a fix to our Connector docker file to run nonroot. Expecting to have this feature available in the coming connector release.
We're still using distroless, keeping our footprint minimal, but found a way to make it run not on the root user to allow auditing\compliance tools to ✅ it ;)

Note that this is not a helm-charts issue and once new connector images are released there's no changes required on this repo, but I'm keeping this issue open for now and will close it when we release.

@linear linear bot closed this as completed Jan 22, 2024
@ekampf ekampf reopened this Jan 22, 2024
@ekampf ekampf mentioned this issue Jan 23, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Support running Connector under "restricted" security policy Twingate/helm-charts
3 participants
@ekampf @Yaronsohn @uri-peled-unit