Allow to run with restricted pod security standards (#2072)

* Allow to run with restricted pod security standards * Also run as group 1000 * Improve security context for creating tenants via API * Run tests with restricted pod security standard * Fix some deployment issues * Updated examples * Added newline
minio · Apr 19, 2024 · ae6c279 · ae6c279
1 parent 56cd580
commit ae6c279
Show file tree

Hide file tree

Showing 9 changed files with 110 additions and 9 deletions.
diff --git a/api/tenant-handlers.go b/api/tenant-handlers.go
@@ -45,6 +45,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	v1 "k8s.io/client-go/kubernetes/typed/core/v1"
+	"k8s.io/utils/ptr"
 )
 
 type imageRegistry struct {
@@ -57,6 +58,14 @@ type imageRegistryCredentials struct {
 	Auth     string `json:"auth"`
 }
 
+var defaultSecurityContext = models.SecurityContext{
+	RunAsUser:           ptr.To("1000"),
+	RunAsGroup:          ptr.To("1000"),
+	FsGroup:             "1000",
+	FsGroupChangePolicy: string(corev1.FSGroupChangeOnRootMismatch),
+	RunAsNonRoot:        ptr.To(true),
+}
+
 func registerTenantHandlers(api *operations.OperatorAPI) {
 	// Add Tenant
 	api.OperatorAPICreateTenantHandler = operator_api.CreateTenantHandlerFunc(func(params operator_api.CreateTenantParams, session *models.Principal) middleware.Responder {
@@ -1018,13 +1027,31 @@ func parseTenantPoolRequest(poolParams *models.Pool) (*miniov2.Pool, error) {
 		Tolerations:      tolerations,
 		RuntimeClassName: &poolParams.RuntimeClassName,
 	}
-	// if security context for Tenant is present, configure it.
-	if poolParams.SecurityContext != nil {
-		sc, err := convertModelSCToK8sSC(poolParams.SecurityContext)
-		if err != nil {
-			return nil, err
-		}
-		pool.SecurityContext = sc
+	// use default security context for Tenant if none is present
+	scp := poolParams.SecurityContext
+	if scp == nil {
+		scp = &defaultSecurityContext
+	}
+	var err error
+	pool.SecurityContext, err = convertModelSCToK8sSC(scp)
+	if err != nil {
+		return nil, err
+	}
+	pool.ContainerSecurityContext = &corev1.SecurityContext{
+		// use security context as the base for the container security context
+		RunAsUser:    pool.SecurityContext.RunAsUser,
+		RunAsGroup:   pool.SecurityContext.RunAsGroup,
+		RunAsNonRoot: pool.SecurityContext.RunAsNonRoot,
+
+		// allow running the tenant with restricted pod standards
+		// see https://kubernetes.io/docs/concepts/security/pod-security-standards
+		AllowPrivilegeEscalation: ptr.To(false),
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
 	}
 	return pool, nil
 }

diff --git a/examples/kustomization/base/tenant.yaml b/examples/kustomization/base/tenant.yaml
@@ -215,6 +215,12 @@ spec:
         runAsUser: 1000
         runAsGroup: 1000
         runAsNonRoot: true
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
+        seccompProfile:
+          type: RuntimeDefault
   ## Enable automatic Kubernetes based certificate generation and signing as explained in
   ## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
   requestAutoCert: true

diff --git a/examples/kustomization/tenant-lite/tenant.yaml b/examples/kustomization/tenant-lite/tenant.yaml
@@ -28,3 +28,9 @@ spec:
         runAsUser: 1000
         runAsGroup: 1000
         runAsNonRoot: true
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
+        seccompProfile:
+          type: RuntimeDefault
diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml
@@ -95,6 +95,12 @@ operator:
     runAsUser: 1000
     runAsGroup: 1000
     runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
   ###
   # An array of `Volumes <https://kubernetes.io/docs/concepts/storage/volumes/>`__ which the Operator can mount to pods.
   #
@@ -272,13 +278,21 @@ console:
   # You may need to modify these values to meet your cluster's security and access settings.
   securityContext:
     runAsUser: 1000
+    runAsGroup: 1000
     runAsNonRoot: true
   ###
   # The Kubernetes `SecurityContext <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Operator Console containers.
   # You may need to modify these values to meet your cluster's security and access settings.
   containerSecurityContext:
     runAsUser: 1000
+    runAsGroup: 1000
     runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
 
   ###
   # Forbid write permissions

diff --git a/helm/tenant/values.yaml b/helm/tenant/values.yaml
@@ -203,6 +203,12 @@ tenant:
         runAsUser: 1000
         runAsGroup: 1000
         runAsNonRoot: true
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
+        seccompProfile:
+          type: RuntimeDefault
       ###
       #
       # An array of `Topology Spread Constraints <https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/>`__ to associate to Operator Console pods.
@@ -459,6 +465,12 @@ tenant:
   #    runAsGroup: 1000
   #    runAsNonRoot: true
   #    allowPrivilegeEscalation: false
+  #    capabilities:
+  #      drop:
+  #        - ALL
+  #    seccompProfile:
+  #      type: RuntimeDefault
+
 ###
 # Configures `Ingress <https://kubernetes.io/docs/concepts/services-networking/ingress/>`__ for the Tenant S3 API and Console.
 #

diff --git a/resources/base/console-ui.yaml b/resources/base/console-ui.yaml
@@ -296,6 +296,12 @@ spec:
             runAsUser: 1000
             runAsGroup: 1000
             runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           ports:
             - containerPort: 9090
               name: http

diff --git a/resources/base/deployment.yaml b/resources/base/deployment.yaml
@@ -36,6 +36,12 @@ spec:
             runAsUser: 1000
             runAsGroup: 1000
             runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           env:
             - name: MINIO_CONSOLE_TLS_ENABLE
               value: "off"

diff --git a/resources/base/namespace.yaml b/resources/base/namespace.yaml
@@ -2,3 +2,10 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: minio-operator
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: latest
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
diff --git a/testing/common.sh b/testing/common.sh
@@ -529,6 +529,22 @@ function load_kind_images() {
     load_kind_image "$CONSOLE_RELEASE"
 }
 
+function create_restricted_namespace() {
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "$1"
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: latest
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
+EOF
+}
+
 function install_operator() {
   # It requires compiled binary in minio-operator folder in order for docker build to work when copying this folder.
   # For that in the github actions you need to wait for operator test/step to get the binary.
@@ -550,9 +566,9 @@ function install_operator() {
     yq -i '.console.image.repository = "minio/operator"' "${SCRIPT_DIR}/../helm/operator/values.yaml"
     yq -i '.console.image.tag = "noop"' "${SCRIPT_DIR}/../helm/operator/values.yaml"
     echo "Installing Current Operator via HELM"
+    create_restricted_namespace minio-operator
     helm install \
       --namespace minio-operator \
-      --create-namespace \
       minio-operator ./helm/operator
 
     echo "key, value for pod selector in helm test"
@@ -751,8 +767,9 @@ function install_tenant() {
     namespace=default
     key=v1.min.io/tenant
     value=myminio
+    create_restricted_namespace $namespace
     try helm install --namespace $namespace \
-      --create-namespace tenant ./helm/tenant
+      tenant ./helm/tenant
   elif [ "$1" = "logs" ]; then
     namespace="tenant-lite"
     key=v1.min.io/tenant