Skip to content

Commit

Permalink
Require vault to run as non root (#80)
Browse files Browse the repository at this point in the history 
* Require vault to run as non root

* Fix unit tests

* Make uid/gid configurable, remove home emptydir
  • Loading branch information
@jasonodonnell
jasonodonnell committed Oct 18, 2019
1 parent f7aa257 commit b41d36c
Show file tree
Hide file tree
Showing 7 changed files with 223 additions and 89 deletions.
2 changes: 0 additions & 2 deletions templates/server-config-configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,7 @@ metadata:
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
extraconfig-from-values.hcl: |-
{{- if eq (.Values.server.mlock.enabled | toString) "false" }}
disable_mlock = true
{{- end }}
{{- if eq .mode "standalone" }}
{{ tpl .Values.server.standalone.config . | nindent 4 | trim }}
{{- else if eq .mode "ha" }}
Expand Down
10 changes: 5 additions & 5 deletions templates/server-statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,17 +41,19 @@ spec:
terminationGracePeriodSeconds: 10
serviceAccountName: {{ template "vault.fullname" . }}
securityContext:
fsGroup: 1000
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsGroup: {{ .Values.server.gid | default 1000 }}
runAsUser: {{ .Values.server.uid | default 100 }}
fsGroup: {{ .Values.server.gid | default 1000 }}
volumes:
{{ template "vault.volumes" . }}
containers:
- name: vault
{{ template "vault.resources" . }}
{{- if eq (.Values.server.mlock.enabled | toString) "true" }}
securityContext:
capabilities:
add: ["IPC_LOCK"]
{{- end }}
image: "{{ .Values.global.image }}"
command: {{ template "vault.command" . }}
args: {{ template "vault.args" . }}
Expand All @@ -70,10 +72,8 @@ spec:
value: "{{ include "vault.scheme" . }}://$(POD_IP):8200"
- name: SKIP_CHOWN
value: "true"
{{- if eq (.Values.server.mlock.enabled | toString) "false" }}
- name: SKIP_SETCAP
value: "true"
{{- end }}
{{ template "vault.envs" . }}
{{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }}
{{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
Expand Down
49 changes: 0 additions & 49 deletions test/unit/server-configmap.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,52 +82,3 @@ load _helpers
yq '.data["extraconfig-from-values.hcl"] | match("bar") | length' | tee /dev/stderr)
[ ! -z "${actual}" ]
}

@test "server/ConfigMap: mlock by default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock") | not)' | tee /dev/stderr)
[ -z "${actual}" ]

local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'server.standalone.enabled=true' \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock") | not)' | tee /dev/stderr)
[ -z "${actual}" ]

local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock") | not)' | tee /dev/stderr)
[ -z "${actual}" ]
}

@test "server/ConfigMap: disable mlock" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'server.mlock.enabled=false' \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock")' | tee /dev/stderr)
[ ! -z "${actual}" ]

local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'server.mlock.enabled=false' \
--set 'server.standalone.enabled=true' \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock")' | tee /dev/stderr)
[ ! -z "${actual}" ]

local actual=$(helm template \
-x templates/server-config-configmap.yaml \
--set 'server.mlock.enabled=false' \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq '.data["extraconfig-from-values.hcl"] | contains("disable_mlock")' | tee /dev/stderr)
[ ! -z "${actual}" ]
}
85 changes: 75 additions & 10 deletions test/unit/server-dev-statefulset.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,19 +224,19 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)

local actual=$(echo $object |
yq -r '.[6].name' | tee /dev/stderr)
yq -r '.[7].name' | tee /dev/stderr)
[ "${actual}" = "FOO" ]

local actual=$(echo $object |
yq -r '.[6].value' | tee /dev/stderr)
yq -r '.[7].value' | tee /dev/stderr)
[ "${actual}" = "bar" ]

local actual=$(echo $object |
yq -r '.[7].name' | tee /dev/stderr)
yq -r '.[8].name' | tee /dev/stderr)
[ "${actual}" = "FOOBAR" ]

local actual=$(echo $object |
yq -r '.[7].value' | tee /dev/stderr)
yq -r '.[8].value' | tee /dev/stderr)
[ "${actual}" = "foobar" ]
}

Expand All @@ -257,23 +257,23 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)

local actual=$(echo $object |
yq -r '.[5].name' | tee /dev/stderr)
yq -r '.[6].name' | tee /dev/stderr)
[ "${actual}" = "ENV_FOO_0" ]
local actual=$(echo $object |
yq -r '.[5].valueFrom.secretKeyRef.name' | tee /dev/stderr)
yq -r '.[6].valueFrom.secretKeyRef.name' | tee /dev/stderr)
[ "${actual}" = "secret_name_0" ]
local actual=$(echo $object |
yq -r '.[5].valueFrom.secretKeyRef.key' | tee /dev/stderr)
yq -r '.[6].valueFrom.secretKeyRef.key' | tee /dev/stderr)
[ "${actual}" = "secret_key_0" ]

local actual=$(echo $object |
yq -r '.[6].name' | tee /dev/stderr)
yq -r '.[7].name' | tee /dev/stderr)
[ "${actual}" = "ENV_FOO_1" ]
local actual=$(echo $object |
yq -r '.[6].valueFrom.secretKeyRef.name' | tee /dev/stderr)
yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr)
[ "${actual}" = "secret_name_1" ]
local actual=$(echo $object |
yq -r '.[6].valueFrom.secretKeyRef.key' | tee /dev/stderr)
yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr)
[ "${actual}" = "secret_key_1" ]
}

Expand Down Expand Up @@ -311,3 +311,68 @@ load _helpers
yq -r '.spec.volumeClaimTemplates' | tee /dev/stderr)
[ "${actual}" = "null" ]
}

#--------------------------------------------------------------------
# Security Contexts
@test "server/standalone-StatefulSet: uid default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
[ "${actual}" = "100" ]
}

@test "server/standalone-StatefulSet: uid configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.uid=2000' \
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}

@test "server/standalone-StatefulSet: gid default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
[ "${actual}" = "1000" ]
}

@test "server/standalone-StatefulSet: gid configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.gid=2000' \
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}

@test "server/standalone-StatefulSet: fsgroup default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "1000" ]
}

@test "server/standalone-StatefulSet: fsgroup configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.gid=2000' \
--set 'server.dev.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}
85 changes: 75 additions & 10 deletions test/unit/server-ha-statefulset.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -320,19 +320,19 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)

local actual=$(echo $object |
yq -r '.[5].name' | tee /dev/stderr)
yq -r '.[6].name' | tee /dev/stderr)
[ "${actual}" = "FOO" ]

local actual=$(echo $object |
yq -r '.[5].value' | tee /dev/stderr)
yq -r '.[6].value' | tee /dev/stderr)
[ "${actual}" = "bar" ]

local actual=$(echo $object |
yq -r '.[6].name' | tee /dev/stderr)
yq -r '.[7].name' | tee /dev/stderr)
[ "${actual}" = "FOOBAR" ]

local actual=$(echo $object |
yq -r '.[6].value' | tee /dev/stderr)
yq -r '.[7].value' | tee /dev/stderr)
[ "${actual}" = "foobar" ]
}

Expand All @@ -354,23 +354,23 @@ load _helpers
yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr)

local actual=$(echo $object |
yq -r '.[5].name' | tee /dev/stderr)
yq -r '.[6].name' | tee /dev/stderr)
[ "${actual}" = "ENV_FOO_0" ]
local actual=$(echo $object |
yq -r '.[5].valueFrom.secretKeyRef.name' | tee /dev/stderr)
yq -r '.[6].valueFrom.secretKeyRef.name' | tee /dev/stderr)
[ "${actual}" = "secret_name_0" ]
local actual=$(echo $object |
yq -r '.[5].valueFrom.secretKeyRef.key' | tee /dev/stderr)
yq -r '.[6].valueFrom.secretKeyRef.key' | tee /dev/stderr)
[ "${actual}" = "secret_key_0" ]

local actual=$(echo $object |
yq -r '.[6].name' | tee /dev/stderr)
yq -r '.[7].name' | tee /dev/stderr)
[ "${actual}" = "ENV_FOO_1" ]
local actual=$(echo $object |
yq -r '.[6].valueFrom.secretKeyRef.name' | tee /dev/stderr)
yq -r '.[7].valueFrom.secretKeyRef.name' | tee /dev/stderr)
[ "${actual}" = "secret_name_1" ]
local actual=$(echo $object |
yq -r '.[6].valueFrom.secretKeyRef.key' | tee /dev/stderr)
yq -r '.[7].valueFrom.secretKeyRef.key' | tee /dev/stderr)
[ "${actual}" = "secret_key_1" ]
}

Expand Down Expand Up @@ -506,3 +506,68 @@ load _helpers
yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr)
[ "${actual}" = "testing" ]
}

#--------------------------------------------------------------------
# Security Contexts
@test "server/standalone-StatefulSet: uid default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
[ "${actual}" = "100" ]
}

@test "server/standalone-StatefulSet: uid configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.uid=2000' \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}

@test "server/standalone-StatefulSet: gid default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
[ "${actual}" = "1000" ]
}

@test "server/standalone-StatefulSet: gid configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.gid=2000' \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}

@test "server/standalone-StatefulSet: fsgroup default" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "1000" ]
}

@test "server/standalone-StatefulSet: fsgroup configurable" {
cd `chart_dir`
local actual=$(helm template \
-x templates/server-statefulset.yaml \
--set 'server.gid=2000' \
--set 'server.ha.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "2000" ]
}
Loading

0 comments on commit b41d36c

Please sign in to comment.