-
Notifications
You must be signed in to change notification settings - Fork 134
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Run as non-privilege and non-root user
This changeset set `securityContext` as non-privilege and non-root user for IDS controller, prometheus, and kibana pods. It fixes an enterprise component developmend issue on CIS profile hardened RKE2 cluster. When the container is running as root or non-numeric user (nobody or kibana), it failed non-root validation.
- Loading branch information
Showing
12 changed files
with
86 additions
and
38 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
15 changes: 0 additions & 15 deletions
15
pkg/render/common/podsecuritycontext/pod_security_context.go
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
// Copyright (c) 2021-2022 Tigera, Inc. All rights reserved. | ||
|
||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package securitycontext | ||
|
||
import ( | ||
corev1 "k8s.io/api/core/v1" | ||
|
||
"github.com/tigera/operator/pkg/ptr" | ||
) | ||
|
||
var ( | ||
// It is recommended to choose UID and GID that don't collide with existing system users and groups. | ||
// Non-system UID and GID range is normally from 1000 to 60000 (Debian derived systems define this | ||
// in /etc/login.defs). On a normal Linux host, it is unlikely to have more than 10k non-system users. | ||
// 10001 is chosen based on this assumption. | ||
RunAsUserID int64 = 10001 | ||
RunAsGroupID int64 = 10001 | ||
) | ||
|
||
// NewBaseContext returns the non root non privileged security context that most of the containers running should | ||
// be using. | ||
func NewBaseContext() *corev1.SecurityContext { | ||
return &corev1.SecurityContext{ | ||
AllowPrivilegeEscalation: ptr.BoolToPtr(false), | ||
Privileged: ptr.BoolToPtr(false), | ||
RunAsNonRoot: ptr.BoolToPtr(true), | ||
} | ||
} | ||
|
||
// NewNonPriviledgedUserContext returns the base context with a default user and group. | ||
func NewNonPrivilegedUserContext() *corev1.SecurityContext { | ||
sc := NewBaseContext() | ||
sc.RunAsUser = &RunAsUserID | ||
sc.RunAsGroup = &RunAsGroupID | ||
|
||
return sc | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters