Customize pod security context via helm chart
corax15 opened this issue · 4 comments
Describe the current behavior
Currently there is no way to customize the operator's pod security context. We have ASO running in an AKS cluster with Azure Defender for Cloud enabled for that cluster. Defender gives recommendations about pods not running as a root user (by having the runAsUser property set to a non-zero value or by having the runAsNonRoot property set to true). We would like to enforce that recommendation but are currently unable to because we are unable to set either property on the ASO's pod.
Describe the improvement
We would love to have the possibility to customize the ASO's pod's security context via the helm chart, or alternatively to set specific flags via the helm chart (depending on what suits the projects philosophy best).
We probably should just set that option by default, since there's no real reason ASO should ever need to run as root in its container.
I also believe there's an open PR #4207 that may solve this - we haven't accepted it yet and need to discuss what our philosophy is on letting users configure security things versus us just setting the most locked-down values.
We are looking to adopt this in our enterprise and are seeing the following:
admission webhook "validation.gatekeeper.sh" denied the request:
[azurepolicy-k8sazurev3allowedusersgroups]
Container manager is attempting to run without a required
securityContext/runAsNonRoot or securityContext/runAsUser != 0
Aside from this, we have other policies in place, some of which would also error out with the current template. Here is all that is enforced:
- automountServiceAccountToken must be false.
- hostIPC: false
- hostNetwork: false
- hostPID: false
- runAsNonRoot: true
- runAsUser and runAsGroup must not be zero
- seccompProfile must be set (e.g., RuntimeDefault)
- containers > allowPrivilegeEscalation must be false
- containers > drop all capabilities by default
- containers > privileged false
- containers > readOnlyRootFilesystem true
- resource requests/limits must be set
Here's a sample spec that would pass our policies:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: some-name
name: some-name
spec:
replicas: 1
selector:
matchLabels:
app: some-name
strategy: {}
template:
metadata:
labels:
app: some-name
annotations:
container.apparmor.security.beta.kubernetes.io/some-name: runtime/default
spec:
automountServiceAccountToken: false
hostIPC: false
hostNetwork: false
hostPID: false
securityContext:
runAsUser: 1021
runAsGroup: 1021
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: some-name
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
image: # hidden
ports:
- name: http
containerPort: 8081
protocol: TCP
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 200m
memory: 256Mi
This can now be configured (due to #4207), and I've updated the pod spec to follow most of the best practices you called out above (#4242) as well.
There are 3 exceptions:
automountServiceAccountToken
cannot be false for ASO. It needs access to the token both for workload identity authentication (the recommended way), as well as to communicate with kube-apiserver.hostIPC
,hostNetwork
, andhostPID
are all defaultfalse
, so AFAIK there is no need to explicitly set them to false in the Deployment.seccompProfile: RuntimeDefault
- I think we can set this. I tested a basic scenario with it set and things seemed fine, but I don't fully understand what syscalls it's allowing versus blocking so I didn't enable it by default yet, need to do more investigation to know if there are any that we're at risk of making.
That sounds good. Looking forward to a new helm chart version to test out. Thanks!