Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable securityContext override for all Gloo Edge deployments #8455

Closed
Tracked by #8864
curuvija opened this issue Jul 11, 2023 · 5 comments
Closed
Tracked by #8864

Enable securityContext override for all Gloo Edge deployments #8455

curuvija opened this issue Jul 11, 2023 · 5 comments
Labels
Area: Helm release/1.15 release/1.16 Type: Enhancement New feature or request

Comments

@curuvija
Copy link

Version

1.14.x (latest stable)

Is your feature request related to a problem? Please describe.

I cannot override securityContext of the container unless I use kubeResourceOverride and for that I need to override the whole container definition.

Describe the solution you'd like

I would like to have a solution like you implemented for gloo or gateway-proxy pods where I could do:

gloo-ee: gloo: gloo: deployment: glooContainerSecurityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 10101 capabilities: drop: - ALL seccompProfile: type: RuntimeDefault

Describe alternatives you've considered

No response

Additional Context

No response
@curuvija curuvija added the Type: Enhancement New feature or request label Jul 11, 2023
@anessi
Copy link

anessi commented Jul 12, 2023
edited
Loading

The override with kubeResourceOverride is a workaround, but a very ugly one because it requires to override the whole extauth definition due to #5841 (e.g. single properties don't get merged in lists, but the whole list is overwritten).

This means that single properties define like this:

global:
  extensions:
    extAuth:
      deployment:
        replicas: 2
        resources:
          limits:
            memory: 512Mi
            cpu: 1
          requests:
            memory: 100Mi
            cpu: 200m
        floatingUserId: true
        extraExtAuthLabels:
          app: gloo

don't take effect anymore, so we have to copy/paste the whole section for each customer like this:

global:
  extensions:
    extAuth:
        kubeResourceOverride:
          spec:
            template:
              spec:
                containers:
                # the whole container section has to be copy/pasted due to the mentioned issue
                - image: ...
                  resources:
                    limits:
                      cpu: '1'
                      memory: 512Mi
                    requests:
                      cpu: 200m
                      memory: 100Mi
                  imagePullPolicy: IfNotPresent
                  name: extauth
                  env:
                    - name: POD_NAMESPACE
                      valueFrom:
                        fieldRef:
                          fieldPath: metadata.namespace
                    - name: SERVICE_NAME
                      value: "ext-auth"
                    - name: GLOO_ADDRESS
                      value: gloo:9977
                    - name: SIGNING_KEY
                      valueFrom:
                        secretKeyRef:
                          name: extauth-signing-key
                          key: signing-key
                    - name: REDIS_PASSWORD
                      valueFrom:
                        secretKeyRef:
                          name: redis
                          key: redis-password
                    - name: SERVER_PORT
                      value: "8083"
                    - name: USER_ID_HEADER
                      value: "x-user-id"
                    - name: START_STATS_SERVER
                      value: "true"
                    - name: HEALTH_HTTP_PORT
                      value: "8082"
                    - name: HEALTH_HTTP_PATH
                      value: "/healthcheck"
                    - name: ALIVE_HTTP_PATH
                      value: "/alivecheck"
                  readinessProbe:
                    httpGet:
                      port: 8082
                      path: "/healthcheck"
                    initialDelaySeconds: 2
                    periodSeconds: 5
                    failureThreshold: 2
                    successThreshold: 1
                  securityContext:
                    runAsNonRoot: true
                    runAsUser: 10101
                    allowPrivilegeEscalation: false
                    capabilities:
                      drop:
                      - ALL
                    readOnlyRootFilesystem: true
                    seccompProfile:
                      type: RuntimeDefault
                affinity:
                  podAffinity:
                    preferredDuringSchedulingIgnoredDuringExecution:
                      - weight: 100
                        podAffinityTerm:
                          labelSelector:
                            matchLabels:
                              gloo: gateway-proxy
                          topologyKey: kubernetes.io/hostname
                imagePullSecrets:
                - name: artifactory

Because we have quite some customers we need to ask each what values they use, then render it for them and tell them what to put in there which is a lot of support effort for us for a simple feature that should be standard.

So, yes there is a workaround but not a maintainable one.

@nfuden nfuden assigned davidjumani and unassigned davidjumani Sep 7, 2023
@edubonifs
Copy link

Hi, our customer is also asking to provide these values, not only for extauth deployment, but also for observability

@mithie
Copy link

mithie commented Jan 15, 2024

We would also need a possibility to set those properties for all gloo deployment resources and their containers. This is necessary for properly enabling pod security standards for the whole gloo deployment.

@DuncanDoyle DuncanDoyle changed the title extauth securityContext override like on gloo or gateway-proxy pods Enable securityContext override for all Gloo Edge deployments Mar 5, 2024
@DuncanDoyle
Copy link
Contributor

Decided we need to have this for all our Gloo Edge deployments. Updated ticket title and scope.

@DuncanDoyle DuncanDoyle mentioned this issue Mar 5, 2024
Closed
1 task
@DuncanDoyle
Copy link
Contributor

Duplicate of #8864. Closing this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area: Helm release/1.15 release/1.16 Type: Enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@DuncanDoyle @SantoDE @mithie @davidjumani @curuvija @anessi @Jimmmz @edubonifs