Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Applying additional K8s Security Settings via Helm #162

Closed
Clint-Chester opened this issue Jan 15, 2024 · 6 comments
Closed

Applying additional K8s Security Settings via Helm #162

Clint-Chester opened this issue Jan 15, 2024 · 6 comments
Labels
enhancement New feature or request

Comments

@Clint-Chester
Copy link

Hey there 😄 been loving using this sops-secrets-operator. Our Cyber team are getting alerts via their security scanners and we wondering whether the following security settings below are supported via the operator and whether they can be added in to the helm chart.

Deployment Settings

  • securityContext.runAsNonRoot
  • securityContext.allowPrivilegeEscalation
  • securityContext.seccompProfile
  • securityContext.readOnlyRootFilesystem
  • securityContext.capabilities.drop

Any advice would be appreciated 😄 thanks!
@isindir isindir added the enhancement New feature or request label Jan 15, 2024
@isindir
Copy link
Owner

isindir commented Jan 15, 2024

I need to test it with these settings, some may need changes not only in helm chart but in image as well.

@isindir
Copy link
Owner

isindir commented Jan 20, 2024

@Clint-Chester, I think I need to understand exact requirements, as some securityContext settings can be applied already - see values.yaml file of the chart.

There are 2 options to setup securityContext - on the pod and on the container level. When container level is applied, it overrides pod level configuration. Some of the mentioned settings are applicable to both pod and container levels, but others are only applicable on container level.

From the provided list of the settings, runAsNonRoot and seccompProfile are applicable on pod level as well as on container level - which level you are looking to apply these on ? Please also specify default value you are looking for to see in seccompProfile when securityContext is enabled ?

As for container only level capabilities.drop and allowPrivilegeEscalation, please also specify desired default values, so I can test helm chart before releasing new version.

Thanks

@travisghansen
Copy link

@isindir I am guessing the desire is to follow the most stringent settings here if possible: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

I would like this as well eventually.

@isindir
Copy link
Owner

isindir commented Jan 29, 2024
edited
Loading

@travisghansen good point, I have added restricted settings by default in #163. One I left disabled:
https://github.com/isindir/sops-secrets-operator/pull/163/files#diff-03875461b8f9007e6e9f97a513c13eb16e1a77b82664ecb6218f1a439deefccaR168

I have tested chart only with age on a k3s cluster.

cc: @Clint-Chester

@isindir
Copy link
Owner

isindir commented Jan 29, 2024

Changes released as part of #163, closing issue. If you have any issues with the release, please open a new issue.

@isindir isindir closed this as completed Jan 29, 2024
@Clint-Chester
Copy link
Author

Apologies @isindir just got back from holiday. Thank you so much for making the updates, really appreciate it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@travisghansen @isindir @Clint-Chester