Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#802 Secure controller by avoiding priv esc #819

Closed
wants to merge 4 commits into from
Closed

#802 Secure controller by avoiding priv esc #819

wants to merge 4 commits into from

Conversation

JorgeN118
Copy link
Contributor

Description of the change

  • Change the uid in the docker image
  • Change the defaults for runAsUser & runAsGroup to 10001
  • Change the allowPrivilegeEscalation to false
  • Update the helm chart

Benefits

Possible drawbacks

Applicable issues

Additional information

@JorgeN118 JorgeN118 temporarily deployed to vmware-image-builder April 9, 2022 19:37 Inactive
@github-actions
Copy link

This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.

@github-actions github-actions bot added the Stale label Apr 25, 2022
@alvneiayu alvneiayu added this to Inbox in Sealed Secrets via automation Apr 28, 2022
@JorgeN118 JorgeN118 temporarily deployed to vmware-image-builder April 28, 2022 19:21 Inactive
@alvneiayu
Copy link
Collaborator

thanks @IoannisMatzaris

We are investigating your change. I will come back asap.

Álvaro

@github-actions
Copy link

This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.

@github-actions github-actions bot added the Stale label May 21, 2022
@alvneiayu alvneiayu removed the Stale label May 21, 2022
@github-actions
Copy link

github-actions bot commented Jun 6, 2022

This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.

@github-actions github-actions bot added the Stale label Jun 6, 2022
@alvneiayu alvneiayu removed the Stale label Jun 9, 2022
alvneiayu
alvneiayu requested changes Jun 9, 2022
View reviewed changes
Copy link
Collaborator

@alvneiayu alvneiayu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hi @IoannisMatzaris

First of all, thanks a lot for your time and your PR. The PR has some conflicts and I included a question and a comment.

Thanks a lot again

Álvaro

helm/sealed-secrets/values.yaml
runAsUser: 1001
runAsUser: 10001
runAsGroup: 10001
allowPrivilegeEscalation: false
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are including the allowPrivilegeEscalation in the values yaml but you must change the psp.yaml to include the logic to use the value that you are setting up in the values.yaml

controller-norbac.jsonnet
@@ -54,7 +54,9 @@ local namespace = 'kube-system';
securityContext+: {
readOnlyRootFilesystem: true,
runAsNonRoot: true,
runAsUser: 1001,
allowPrivilegeEscalation: false,
runAsUser: 10001,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: this 10001 user still belongs to root group?

@github-actions
Copy link

This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.

@github-actions github-actions bot added the Stale label Jun 25, 2022
@github-actions
Copy link

github-actions bot commented Jul 3, 2022

Due to the lack of activity in the last 7 days since it was marked as "stale", we proceed to close this Pull Request. Do not hesitate to reopen it later if necessary.

@github-actions github-actions bot closed this Jul 3, 2022
Sealed Secrets automation moved this from Inbox to Completed Jul 3, 2022
@R011y
Copy link

R011y commented Aug 11, 2023
edited

@JorgeN118 Did this change get merged after all? Currently trying to determine if users can safely set allowPrivilegeEscalation: false for sealed-secrets controller manifests.

@R011y
Copy link

R011y commented Aug 11, 2023

Any update here @agarcia-oss ?? Would be good to know if the controller.yaml can support this now.

@alvneiayu
Copy link
Collaborator

alvneiayu commented Aug 16, 2023
edited

hi @R011y

We requested some information and changes to the user and we didn't receive answer from them. This is not already included.
We are open to continue working on this, do you want to help us contributing in this PR ? (creating a new PR maybe it is better)

Thanks a lot

Álvaro

@alvneiayu
Copy link
Collaborator

alvneiayu commented Aug 17, 2023
edited

BTW, if you are using the generated yaml that we are releasing, we have included: #1261. Maybe it solves your problems

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alvneiayu alvneiayu alvneiayu requested changes

@juan131 juan131 Awaiting requested review from juan131

@mkmik mkmik Awaiting requested review from mkmik

@agarcia-oss agarcia-oss Awaiting requested review from agarcia-oss agarcia-oss is a code owner

@alemorcuq alemorcuq Awaiting requested review from alemorcuq alemorcuq is a code owner

Assignees
No one assigned
Labels
enhancement security Stale
Projects
Sealed Secrets
  
Completed
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Secure the Controller by avoiding privilege escalation issue
3 participants
@JorgeN118 @alvneiayu @R011y