-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add PodSecurityPolicy to the Helm manifests #259
Conversation
7abe20b
to
e971b45
Compare
@xopham would be great to get a review on this one. |
@youssefazrak thanks for the PR. We'll look into this and review. |
Codecov Report
@@ Coverage Diff @@
## master #259 +/- ##
=======================================
Coverage 96.66% 96.66%
=======================================
Files 22 22
Lines 1078 1078
=======================================
Hits 1042 1042
Misses 36 36 Continue to review full report at Codecov.
|
helm/values.yaml
Outdated
# PodSecurityPolicy for Kubernetes cluster using this feature | ||
psp: | ||
enabled: false | ||
name: # name of the psp |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not deep into PSPs, but two caveats:
- PSPs have been deprecated. I think we don't mind making backwards compatible changes, but we need to make sure that they won't break the future, so we'd probably want to add a k8s version check to
{{- if .Values.psp.enabled }}
and leave it out for >=1.25 (and maybe warn for >=1.21 [@phbelitz does allow helm that?]) - Afaik, one can specify multiple PSPs, so the
name
field here should be an array, which needs changes to- {{ .Values.psp.name }}
.
Also, would we want to check for empty names? With a single empty name, installation breaks if enabled=true, which I'd guess is what we want. But if it becomes an array, do we ignore empty lines (if valid ones exist) or still fail due to invalid k8s manifest? Would guess we choose the latter, but I guess @phbelitz is more into that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I would disagree on the first point. In case someone sets a PSP in v1.25 and above, Connaisseur should not silently drop it, but actually fail. As for the thoughts on issuing a warning, I would keep that to Kubernetes itself and not inherit Kubernetes deprecation.
On the second point, I agree that it should be a list and handled as such in case a list is possible (which I think is correct). I would think that an empty list needs to be handled such that no policy is written in that case or an error is thrown. In case the list contains empty elements, I would suggest to fail if it fails.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will introduce the array part, thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@youssefazrak a very nice PR. I added some comments that would need to be resolved before merging, but see no major obstacles.
If I understand your earlier comment correctly, you would like to provide a PSP tailored to Connaisseur specifically, right? If that is the case, I would consider it a nice idea. We would just need to make sure that the policy is handled such that Connaisseur won't break by default for Kubernetes v1.25 and above. However, it could probably simply be the default value for the PSP.name
which would make it easily applicable.
Many thanks for contributing 🙏
helm/templates/role.yaml
Outdated
{{- if .Values.psp.enabled }} | ||
- apiGroups: ['policy'] | ||
resources: ['podsecuritypolicies'] | ||
verbs: ['use'] | ||
resourceNames: | ||
- {{ .Values.psp.name }} | ||
{{- end}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
{{- if .Values.psp.enabled }} | |
- apiGroups: ['policy'] | |
resources: ['podsecuritypolicies'] | |
verbs: ['use'] | |
resourceNames: | |
- {{ .Values.psp.name }} | |
{{- end}} | |
{{- if .Values.psp }} | |
{{- if .Values.psp.enabled }} | |
- apiGroups: ['policy'] | |
resources: ['podsecuritypolicies'] | |
verbs: ['use'] | |
resourceNames: | |
- {{ .Values.psp.name }} | |
{{- end}} | |
{{- end}} |
when implemented like this, not providing any psp
entry in helm/values.yaml
does not cause an error which is somewhat more fail safe.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
helm/templates/webhook/role.yaml
Outdated
{{- if .Values.psp.enabled }} | ||
- apiGroups: ['policy'] | ||
resources: ['podsecuritypolicies'] | ||
verbs: ['use'] | ||
resourceNames: | ||
- {{ .Values.psp.name }} | ||
{{- end}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
{{- if .Values.psp.enabled }} | |
- apiGroups: ['policy'] | |
resources: ['podsecuritypolicies'] | |
verbs: ['use'] | |
resourceNames: | |
- {{ .Values.psp.name }} | |
{{- end}} | |
{{- if .Values.psp }} | |
{{- if .Values.psp.enabled }} | |
- apiGroups: ['policy'] | |
resources: ['podsecuritypolicies'] | |
verbs: ['use'] | |
resourceNames: | |
- {{ .Values.psp.name }} | |
{{- end}} | |
{{- end}} |
same as in comment above
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
helm/values.yaml
Outdated
@@ -108,6 +108,11 @@ namespacedValidation: | |||
enabled: false | |||
mode: ignore # 'ignore' or 'validate' | |||
|
|||
# PodSecurityPolicy for Kubernetes cluster using this feature | |||
psp: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the name should be explicit and self-explanatory as podSecurityPolicy
.
Furthermore, I would consider PodSecurityPolicy a part of the deployment
section at the beginning of helm/values.yaml
, as it only really affects the actual deployment of Connaisseur itself and does not hold any value for its features. I would propose to append to the end of deployment
as deployment.podSecurityPolicy
.
Note that the templates above will require adjustment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed and changed the above templates.
helm/values.yaml
Outdated
# PodSecurityPolicy for Kubernetes cluster using this feature | ||
psp: | ||
enabled: false | ||
name: # name of the psp |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I would disagree on the first point. In case someone sets a PSP in v1.25 and above, Connaisseur should not silently drop it, but actually fail. As for the thoughts on issuing a warning, I would keep that to Kubernetes itself and not inherit Kubernetes deprecation.
On the second point, I agree that it should be a list and handled as such in case a list is possible (which I think is correct). I would think that an empty list needs to be handled such that no policy is written in that case or an error is thrown. In case the list contains empty elements, I would suggest to fail if it fails.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@youssefazrak really like where this PR is going 👍
Awesome that you added a default policy 🙂
I made some comments how we can condense it even further and improve the usability.
A few side notes for the next steps after the discussions are resolved:
- rebase is need to run the checks on the PR
- we are using conventional commits so in the end the commit name should be something like
feat: add pod security policy
Cheers 🙂
helm/values.yaml
Outdated
name: # name of the psp | ||
customManifest: false # deploy your own podSecurityPolicy manifest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
name: # name of the psp | |
customManifest: false # deploy your own podSecurityPolicy manifest | |
name: ["connaisseur-psp"] # list of PSPs to use, "connaisseur-psp" is the project-provided default |
if you make name
a list and define your implemented PSP as default, you shouldn't need the customManifest
flag
helm/values.yaml
Outdated
@@ -14,6 +14,11 @@ deployment: | |||
nodeSelector: {} | |||
tolerations: [] | |||
affinity: {} | |||
# podSecurityPolicy for Kubernetes cluster using this feature |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# podSecurityPolicy for Kubernetes cluster using this feature |
Think you made explicit what it is, you probably won't need this comment. You could mention the deprecation version if you like though
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea.
apiVersion: policy/v1beta1 | ||
kind: PodSecurityPolicy | ||
metadata: | ||
name: {{ .Values.deployment.podSecurityPolicy.name }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
name: {{ .Values.deployment.podSecurityPolicy.name }} | |
name: {{ .Chart.Name }}-psp |
Will give the project-provided PSP a standard name that can be referenced in the name
list in helm/values.yaml
@@ -0,0 +1,26 @@ | |||
{{- if and (.Values.deployment.podSecurityPolicy) (.Values.deployment.podSecurityPolicy.enabled) (.Values.deployment.podSecurityPolicy.customManifest) }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this fails in case there is no .Values.deployment.podSecurityPolicy
. If I remember correctly, Helm does not do lazy evaluation.
You might have to do something like:
{{- if .Values.deployment.podSecurityPolicy }}
{{- if .Values.deployment.podSecurityPolicy.enabled }}
{{- if has {{ .Chart.Name }}-psp .Values.deployment.podSecurityPolicy.name }}
...and finish with {{- end }}
three times below. In the last line it can be checked whether the project-provided default PSP is in the list of names (see comment below) which means the the customManifest
flag is not required anymore
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@xopham I'm still having issues with the {{ .Chart.Name }}-psp
part. Tried a bit of everything to get it working inside the curly brackets but still not able to get it done. For the moment I'm using a simple "connaisseur-psp" string.
helm/templates/webhook/role.yaml
Outdated
resources: ['podsecuritypolicies'] | ||
verbs: ['use'] | ||
resourceNames: | ||
- {{ .Values.deployment.podSecurityPolicy.name }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this will probably have to be rendered as a list, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@xopham indeed, I pushed the change for the list.
c5857c5
to
756a351
Compare
@xopham thanks again for the review! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lgtm! Played around with it a bit, but did not do a full test. You probably know more about PSPs and tested that it works in your setup.
Made few minor last comments. After that, I think we can merge.
Will you rebase and sign it or should I?
Looking really neat. Thanks 🙏
requiredDropCapabilities: | ||
- ALL | ||
runAsUser: | ||
rule: 'RunAsAny' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rule: 'RunAsAny' | |
rule: 'MustRunAsNonRoot' |
I think we can be more restrictive here. Haven't tested it yet though
runAsUser: | ||
rule: 'RunAsAny' | ||
fsGroup: | ||
rule: 'RunAsAny' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rule: 'RunAsAny' | |
rule: 'MustRunAs' | |
ranges: | |
- min: 1 | |
max: 65535 |
w/o having tested yet, I presume we can be more restrictive
seLinux: | ||
rule: 'RunAsAny' | ||
supplementalGroups: | ||
rule: 'RunAsAny' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rule: 'RunAsAny' | |
rule: 'MustRunAs' | |
ranges: | |
- min: 1 | |
max: 65535 |
again w/o having tested, I believe we can be more restrictive here
@xopham cheers! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@youssefazrak correct. We rebase against develop
.
Concerning the rules: if it doesn't work, feel free to drop it. Are you using Openshift or OKD? I think Openshift set its own user and group and therefore doesn't like specifying those. We had another PR recently that tackled this topic: https://github.com/sse-secure-systems/connaisseur/pull/288/files
98d1c94
to
c15f283
Compare
Installing Connaisseur on a Kubernetes cluster that has the PodSecurityPolicy feature enabled is not working. This PR fixes this issue by adding the option on Helm chart to take into acccount the PSP feature. Fixes: sse-secure-systems#258 Signed-off-by: Youssef Azrak <yazrak.tech@gmail.com>
c15f283
to
6f7cd85
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm!
Really nice work and collaboration. Thanks for contributing 🙏
@xopham pleasure mate :) |
Installing Connaisseur on a Kubernetes cluster that has the
PodSecurityPolicy feature enabled is not working.
This PR fixes this issue by adding the option on Helm chart to take into
acccount the PSP feature.
Fixes: #258
Signed-off-by: Youssef Azrak yazrak.tech@gmail.com