fix: pss restricted securityContext

[joebowbeer]

Fixes #9743

This PR addresses most of the issues with PSS/restricted compliance. Specifically, the following kustomize folders are fixed:

• manifests/cluster-install
• manifests/cluster-rbac
• manifests/core-install
• manifests/namespace-install

It does not modify the securityContext for the haproxy containers. I'll leave this for a subsequent PR. As a result, the following kustomize folders still have 6 failures each:

• manifests/ha/cluster-install
• manifests/ha/namespace-install

The 6 failures are because 3 properties are missing from the securityContext in each of the 2 deployments: argocd-redis-ha-haproxy and argocd-redis-ha-server

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  seccompProfile:
    type: RuntimeDefault

The following command verifies the fix for manifests/namespace-install:

kustomize build https://github.com/kyverno/policies.git/pod-security | \
  kyverno apply --policy-report -r \
  <(kustomize build https://github.com/joebowbeer/argo-cd//manifests/namespace-install\?ref=pss) \
  -

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• Optional. My organization is added to USERS.md.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).

[codecov]

Codecov Report

Merging #9765 (b7e6c4d) into master (19cfbfd) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #9765   +/-   ##
=======================================
  Coverage   45.90%   45.90%           
=======================================
  Files         227      227           
  Lines       26795    26795           
=======================================
  Hits        12299    12299           
  Misses      12820    12820           
  Partials     1676     1676           

Impacted Files	Coverage Δ
util/settings/settings.go	48.16% <0.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 19cfbfd...b7e6c4d. Read the comment docs.

[crenshaw-dev]

@joebowbeer good catch on the casing issue! Do you happen to know if the feature is case-sensitive?

I'm curious on the seccompProfile change. If I'm reading this correctly, the making RuntimeDefault explicit should have no effect:

Note: If you have the SeccompDefault feature gate enabled, then Pods use the RuntimeDefault seccomp profile whenever no other seccomp profile is specified. Otherwise, the default is Unconfined.

Is the idea just to be explicit so it's even more clear if someone tries to change to a less secure default?

[joebowbeer]

@joebowbeer good catch on the casing issue! Do you happen to know if the feature is case-sensitive?

Yes, this feature is case-sensitive. The docs clearly states ALL and the implementation in PSA checks for ALL - not to mention that kyverno and other tests will fail unless it is ALL.

I'm curious on the seccompProfile change. If I'm reading this correctly, the making RuntimeDefault explicit should have no effect:

Note: If you have the SeccompDefault feature gate enabled, then Pods use the RuntimeDefault seccomp profile whenever no other seccomp profile is specified. Otherwise, the default is Unconfined.

Is the idea just to be explicit so it's even more clear if someone tries to change to a less secure default?

The requirement for an explicit type is also part of the restricted standards:

Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited.

Note that this is for Kubernetes v1.19 or later, but that's not an issue, right? AFAICT, ArgoCD supports two previous versions, so its minimum version is currently 1.21.

By the way, here is the corresponding kyverno policy:

https://kyverno.io/policies/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict/

[crenshaw-dev]

@joebowbeer thanks for the thorough response! All makes sense. On the k8s version question, I'm actually not sure. @alexmt I didn't see anything in the docs about supported k8s versions. Am I missing it?

[crenshaw-dev]

Approving, waiting for Alex's comments on k8s version support. Thanks again @joebowbeer!