Add ReadOnlyRootFilesystem to Security Context (#2909)

* Add readOnlyRootFilesystem to security context (#2771) * readOnlyRootFilesystem * Add mount for /tmp * Add /tmp mountpoint * Update ingress-gateways-deployment.yaml * Update terminating-gateways-deployment.yaml * Update helm unit tests * Create 2781.txt * rename changelog file * rename changelog file * Mount /tmp to volume for snapshots * rename changelog * changelog --------- Co-authored-by: mr-miles <miles.waller@gmail.com> Co-authored-by: Paul Glass <pglass@hashicorp.com> Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com>
hashicorp · May 8, 2024 · 58f715a · 58f715a
1 parent 2cebe95
commit 58f715a
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 0 deletions.
diff --git a/.changelog/2909.txt b/.changelog/2909.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: Add readOnlyRootFilesystem to the default restricted security context when runnning `consul-k8s` in a restricted namespaces.
+```
diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl
@@ -19,6 +19,7 @@ as well as the global.name setting.
 {{- if not .Values.global.enablePodSecurityPolicies -}}
 securityContext:
   allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
   capabilities:
     drop:
     - ALL

diff --git a/charts/consul/templates/ingress-gateways-deployment.yaml b/charts/consul/templates/ingress-gateways-deployment.yaml
@@ -160,6 +160,9 @@ spec:
       terminationGracePeriodSeconds: {{ default $defaults.terminationGracePeriodSeconds .terminationGracePeriodSeconds }}
       serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }}
       volumes:
+      - name: tmp
+        emptyDir:
+          medium: "Memory"
       - name: consul-service
         emptyDir:
           medium: "Memory"
@@ -221,6 +224,8 @@ spec:
             -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} \
             -log-json={{ $root.Values.global.logJSON }}
         volumeMounts:
+        - name: tmp
+          mountPath: /tmp
         - name: consul-service
           mountPath: /consul/service
         {{- if $root.Values.global.tls.enabled }}
@@ -245,6 +250,8 @@ spec:
         resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }}
         {{- end }}
         volumeMounts:
+        - name: tmp
+          mountPath: /tmp
         - name: consul-service
           mountPath: /consul/service
           readOnly: true

diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml
@@ -226,6 +226,8 @@ spec:
         {{- toYaml .Values.server.securityContext | nindent 8 }}
       {{- end }}
       volumes:
+        - name: tmp
+          emptyDir: {}
         - name: config
           configMap:
             name: {{ template "consul.fullname" . }}-server-config
@@ -562,6 +564,9 @@ spec:
               mountPath: /trusted-cas
               readOnly: false
             {{- end }}
+            - name: tmp
+              mountPath: /tmp
+              readOnly: false
           ports:
             {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }}
             - name: http

diff --git a/charts/consul/templates/terminating-gateways-deployment.yaml b/charts/consul/templates/terminating-gateways-deployment.yaml
@@ -129,6 +129,9 @@ spec:
       terminationGracePeriodSeconds: 10
       serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }}
       volumes:
+      - name: tmp
+        emptyDir:
+          medium: "Memory"
       - name: consul-service
         emptyDir:
           medium: "Memory"
@@ -206,6 +209,8 @@ spec:
                   -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} \
                   -log-json={{ $root.Values.global.logJSON }}
           volumeMounts:
+            - name: tmp
+              mountPath: /tmp
             - name: consul-service
               mountPath: /consul/service
             {{- if $root.Values.global.tls.enabled }}
@@ -227,6 +232,8 @@ spec:
           image: {{ $root.Values.global.imageConsulDataplane | quote }}
           {{- include "consul.restrictedSecurityContext" $ | nindent 10 }}
           volumeMounts:
+            - name: tmp
+              mountPath: /tmp
             - name: consul-service
               mountPath: /consul/service
               readOnly: true

diff --git a/charts/consul/test/unit/server-statefulset.bats b/charts/consul/test/unit/server-statefulset.bats
@@ -1385,6 +1385,7 @@ load _helpers
       "drop": ["ALL"],
       "add": ["NET_BIND_SERVICE"]
     },
+    "readOnlyRootFilesystem": true,
     "runAsNonRoot": true,
     "seccompProfile": {
       "type": "RuntimeDefault"
@@ -1417,6 +1418,7 @@ load _helpers
       "drop": ["ALL"],
       "add": ["NET_BIND_SERVICE"]
     },
+    "readOnlyRootFilesystem": true,
     "runAsNonRoot": true,
     "seccompProfile": {
       "type": "RuntimeDefault"