feat: setup securityContext on plugins #362
Conversation
|
|
nerzhul
force-pushed
the
feat/trivy_scan_securitycontext
branch
2 times, most recently
from
c35ff36
to
ca40568
Compare
nerzhul
force-pushed
the
feat/trivy_scan_securitycontext
branch
from
ca40568
to
4d80194
Compare
|
I just fixed tests, it's now mergeable, if you can review and release when you can, we'd glad to do more test on our 200 nodes cluster :) |
docs/operator/configuration.md
Outdated
| @@ -50,6 +50,7 @@ To change the target namespace from all namespaces to the `default` namespace ed | |||
| | `scanJob.tolerations`| N/A| JSON representation of the [tolerations] to be applied to the scanner pods so that they can run on nodes with matching taints. Example: `'[{"key":"key1", "operator":"Equal", "value":"value1", "effect":"NoSchedule"}]'`| | |||
| | `scanJob.annotations`| N/A| One-line comma-separated representation of the annotations which the user wants the scanner pods to be annotated with. Example: `foo=bar,env=stage` will annotate the scanner pods with the annotations `foo: bar` and `env: stage` | | |||
| | `scanJob.templateLabel`| N/A| One-line comma-separated representation of the template labels which the user wants the scanner pods to be labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage`| | |||
| | `scanJob.podSecurityContext`| N/A| One-line JSON representation of the template securityContext which the user wants the scanner pods to be secured with. Example: `{"RunAsUser": 1000, "RunAsGroup": 1000, "RunAsNonRoot": true}`| | |||
There was a problem hiding this comment.
Will only "One-line JSON representation" be supported by this? I think it would be nice to support YAML-format - if possible, as this will be a better UX IMO. But probably not possible?
There was a problem hiding this comment.
you mean people must setup a multine YAML instead of a single line JSON in the string variable passed in the config ?
There was a problem hiding this comment.
Isn't this configured from a configmap? But I see that the similar property scanJob.templateLabel (also a typo; should be Labels) is using a simple string. I'll leave this decision up to the maintainers....
There was a problem hiding this comment.
it's the configmap key exact, i use JSON because GetScanJobTolerations uses also a JSON to be consistent
|
@nerzhul Thanks for this PR! I have added a few comments. We run on Openshift, and it is really picky about securityContext. It has it's SCC that want to control all that. |
nerzhul
force-pushed
the
feat/trivy_scan_securitycontext
branch
from
4d80194
to
a63979e
Compare
|
@erikgb i addressed your concerns, except the one on the format, let's wait for maintainers, but it kept consistency with tolerations, both are JSON unmarshaled. For Openshift, you have specific things. On our side we use PSP and PodSecurities on all namespaces, then it's not possible to run root pods. With this patch pods runs perfectly as UID > 1000 users and creates reports, on a vanilla Kubernetes with just PSP/PS |
I am not against adding this new feature, but I don't think it should break the existing operator. :-) |
nerzhul
force-pushed
the
feat/trivy_scan_securitycontext
branch
from
a63979e
to
49fdc70
Compare
|
no problem @erikgb , now it's more close to the original one, regarding the tests on other parts :) |
nerzhul
force-pushed
the
feat/trivy_scan_securitycontext
branch
from
49fdc70
to
8f82e2a
Compare
|
@chen-keinan any opinion about this very attended PR (on our use case :) ? |
At Veepee we only permit pods to run as non root. Plugin works properly as non root, add variables to setup it as non root and permit to customize UID
nerzhul
force-pushed
the
feat/trivy_scan_securitycontext
branch
from
8f82e2a
to
3b57fdf
Compare
|
This LGTM now, but I think the maintainers should take a decision regarding the config UX. At some point we should probably review the "plugin" architecture for this. We currently have just a single plugin in this project, and I am not sure if the plugin approach gives more benefits than harm. But that will be breaking tho. |
|
Okay i hope we can merge this before you change the whole architecture :) who are maintainers ? in the changelog it seems you are 2 currently active people |
@chen-keinan is the maintainer here. I have brought in some ideas from our custom in-house image scanner lately. 😉 Looking to replace it with trivy-operator. |
|
@nerzhul thanks you for contributing , I'm fine with keeping the |
|
I assume it will solve the most cases where it is required in pod level however not if it is required for a specific init container |
There was a problem hiding this comment.
Looks good! But I do have a comment/question. Considering trivy will scan and report misconfiguration for pods not having a security context with runAsUser, runAsGroup and runAsNonRoot.
https://avd.aquasec.com/misconfig/kubernetes/general/avd-ksv-0012/
https://avd.aquasec.com/misconfig/kubernetes/general/avd-ksv-0020/
https://avd.aquasec.com/misconfig/kubernetes/general/avd-ksv-0021/
Why don't we have a default value for podTemplateSecurityContext considering the AVDs above?
|
@josedonizetti it's a very good comment, i think we should have best security options by default, i just kept compat with existing when writing this pr :) |
It will be a breaking change for users on Openshift, but I do not oppose adding a default according to K8s security best practices. In this case, I think Openshift can improve. 😉 But it should be mentioned in the release notes as a breaking change IMO. |
At Veepee we only permit pods to run as non root. Plugin works properly as non root, add variables to setup it as non root and permit to customize UID
Description
Ref #121
Checklist