improve security Deployment Workload

[kaz-33]

➹ New Feature implementation request

I run kube-score to see the workload security level deployment. I fix some issue by values file or patchs.
But still some security issue.
Could you integrate this values on the values file.?

Is your feature request related to a problem?

parsrer -->
Set securityContext.runAsUser to a value > 10000   --> kyverno
Set securityContext.runAsGroup to a value > 10000  --> kyverno
Ephemeral Storage limit is not set   --> Values fnct pas...kyverno ou patch?

lurker -> 
A userid above 10 000 is recommended to avoid conflicts with thehost. Set securityContext.runAsUser to a value > 10000 
A groupid above 10 000 is recommended to avoid conflicts with the host. Set securityContext.runAsGroup to a value > 10000 
Ephemeral Storage limit is not set   Resource limits are recommended to avoid resource DDOS. Set  resources.limits.ephemeral-storage                                                                               

v1/Service controller-manager-metrics-service in securecodebox-system         💥       
    [CRITICAL] Service Targets Pod
        · The services selector does not match any pods

Describe the solution you'd like

exemple:

lurker:
  image:
    pullPolicy: Always
    repository: docker.io/securecodebox/lurker
    tag: 4.4.1
  securityContext
   runAsUser: 10010
  runAsGroup: 10010
  resources:
     limit:
       ephemeral-storage: 100Mi
    request:
      ephemeral-storage: 100Mi

same for parser.

Describe alternatives you've considered

Additional context

[J12934]

Hi @kaz-33

these are all more theoretical linter findings rather than something which would really improve the security here.
But if you can open a PR to chagne it we'd be happy to have a look and merge it.

1. The lurker and parser are already running with a readOnlyRootFileSystem. So the changes for overloading the disc are minimal. We can still limit it further
2. The lurker is runnign with the default non-root user in the distroless image which is somewhere in the 60-isk thousand user range. It's not set via the security context but in the image itself so your linter complaints about this somewhat incorrectly
3. The parsers are running with the fixed user id 1001 also set in the image. Increasing it to 10.000 shouldn't hurt

Code for the lurker container and how it's started is here: https://github.com/secureCodeBox/secureCodeBox/blob/main/operator/controllers/execution/scans/scan_reconciler.go#L292
Parser Container / Job Definition is here: https://github.com/secureCodeBox/secureCodeBox/blob/main/operator/controllers/execution/scans/parse_reconciler.go#L140

[kaz-33]

thx for your response, and what about the service?
v1/Service controller-manager-metrics-service in securecodebox-system 💥
[CRITICAL] Service Targets Pod
· The services selector does not match any pods

[J12934]

The service was initally auto generated and then never acutally used / properly configured can & should be deleted. (And the related resources in the helm chart (anything with auth_proxyhttps://github.com/secureCodeBox/secureCodeBox/tree/main/operator/templates/rbac)

But I don't quit see why the tool marks this as a critical (security) issue. But still help ful to mark this out to be aware of this unnecessary service / config.

[kaz-33]

in additionnal security info:

• seccompProfile (pod or containers "nmap", "lurker" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

• - >>>The parsers are running with the fixed user id 1001 also set in the image. Increasing it to 10.000 shouldn't hurt

Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table. (thx aquasec)

• >>> But I don't quit see why the tool marks this as a critical (security) issue. But still help ful to mark this out to be aware of this unnecessary service / config.

service-targets-pod Service Makes sure that all Services targets a Pod (Thx Kube-score)