From fe1204c2b9d77ad9a4a75db182cd5d1c4765e165 Mon Sep 17 00:00:00 2001 From: "Ethan Brown (Domino)" <111539728+ddl-ebrown@users.noreply.github.com> Date: Tue, 13 Feb 2024 07:42:21 -0800 Subject: [PATCH] Flyte-core define pod and container securityContext (#4809) - Define secure defaults for all pod / container specs: * runAsNonRoot: true * capabilities: drop: ['ALL'] * allowPrivilegeEscalation: false * seLinuxOptions: type: spc_t This is required in many locations where policy enforcement agents may be installed (like OPA Gatekeeper) which may otherwise prevent deployments from launching. The hard work of making sure the containers run as non-0 uids seems to have already been done given all containers are already specifying a runAsUser value of 1000 or 1001, so this should hopefully just be a little more hardening around restricting kernel permissions / enforcement within the container runtime. These are generally considered standard / secure default settings and are not currently made configurable given these services are all owned by Flyte Signed-off-by: ddl-ebrown --- .../templates/admin/deployment.yaml | 23 +++++++ .../templates/console/deployment.yaml | 7 +++ .../templates/datacatalog/deployment.yaml | 11 ++++ .../templates/flytescheduler/deployment.yaml | 11 ++++ .../templates/propeller/webhook.yaml | 11 ++++ .../flyte_aws_scheduler_helm_generated.yaml | 52 +++++++++++++++ .../flyte_helm_controlplane_generated.yaml | 52 +++++++++++++++ .../eks/flyte_helm_dataplane_generated.yaml | 11 ++++ deployment/eks/flyte_helm_generated.yaml | 63 +++++++++++++++++++ .../flyte_helm_controlplane_generated.yaml | 52 +++++++++++++++ .../gcp/flyte_helm_dataplane_generated.yaml | 11 ++++ deployment/gcp/flyte_helm_generated.yaml | 63 +++++++++++++++++++ deployment/sandbox/flyte_helm_generated.yaml | 63 +++++++++++++++++++ 13 files changed, 430 insertions(+) diff --git a/charts/flyte-core/templates/admin/deployment.yaml b/charts/flyte-core/templates/admin/deployment.yaml index 5b41085674..60d4b6a969 100755 --- a/charts/flyte-core/templates/admin/deployment.yaml +++ b/charts/flyte-core/templates/admin/deployment.yaml @@ -19,9 +19,12 @@ spec: labels: {{ include "flyteadmin.podLabels" . | nindent 8 }} spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t {{- if .Values.flyteadmin.priorityClassName }} priorityClassName: {{ .Values.flyteadmin.priorityClassName }} {{- end }} @@ -35,6 +38,10 @@ spec: image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}" imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}" name: run-migrations + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 10 }} - mountPath: /etc/flyte/config name: base-config-volume @@ -57,6 +64,10 @@ spec: image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}" imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}" name: seed-projects + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 10 }} - mountPath: /etc/flyte/config name: base-config-volume @@ -77,6 +88,10 @@ spec: image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}" imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}" name: sync-cluster-resources + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 10 }} - mountPath: /etc/flyte/clusterresource/templates name: resource-templates @@ -104,6 +119,10 @@ spec: [ "flyteadmin --config={{ .Values.flyteadmin.configPath }} secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", ] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config name: base-config-volume @@ -149,6 +168,10 @@ spec: initialDelaySeconds: 20 periodSeconds: 5 resources: {{- toYaml .Values.flyteadmin.resources | nindent 10 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }} - mountPath: /srv/flyte name: shared-data diff --git a/charts/flyte-core/templates/console/deployment.yaml b/charts/flyte-core/templates/console/deployment.yaml index 3d0f26d44b..d9675a0072 100644 --- a/charts/flyte-core/templates/console/deployment.yaml +++ b/charts/flyte-core/templates/console/deployment.yaml @@ -23,8 +23,11 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} securityContext: + runAsNonRoot: true runAsUser: 1000 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t {{- if .Values.flyteconsole.priorityClassName }} priorityClassName: {{ .Values.flyteconsole.priorityClassName }} {{- end }} @@ -51,6 +54,10 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: {{ toYaml .Values.flyteconsole.resources | nindent 10 }} volumeMounts: - mountPath: /srv/flyte diff --git a/charts/flyte-core/templates/datacatalog/deployment.yaml b/charts/flyte-core/templates/datacatalog/deployment.yaml index 9ba6a8d89a..904762eb79 100644 --- a/charts/flyte-core/templates/datacatalog/deployment.yaml +++ b/charts/flyte-core/templates/datacatalog/deployment.yaml @@ -19,9 +19,12 @@ spec: labels: {{ include "datacatalog.podLabels" . | nindent 8 }} spec: securityContext: + runAsNonRoot: true fsGroup: 1001 runAsUser: 1001 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t {{- if .Values.datacatalog.priorityClassName }} priorityClassName: {{ .Values.datacatalog.priorityClassName }} {{- end }} @@ -44,6 +47,10 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] containers: - command: - datacatalog @@ -66,6 +73,10 @@ spec: - containerPort: 8088 - containerPort: 8089 - containerPort: {{ index .Values.configmap.datacatalogServer.datacatalog "profiler-port" }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: {{- toYaml .Values.datacatalog.resources | nindent 10 }} volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }} - mountPath: /etc/datacatalog/config diff --git a/charts/flyte-core/templates/flytescheduler/deployment.yaml b/charts/flyte-core/templates/flytescheduler/deployment.yaml index 37b2394b1d..3892cfbb83 100755 --- a/charts/flyte-core/templates/flytescheduler/deployment.yaml +++ b/charts/flyte-core/templates/flytescheduler/deployment.yaml @@ -20,9 +20,12 @@ spec: labels: {{ include "flytescheduler.podLabels" . | nindent 8 }} spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t {{- if .Values.flytescheduler.priorityClassName }} priorityClassName: {{ .Values.flytescheduler.priorityClassName }} {{- end }} @@ -42,6 +45,10 @@ spec: image: "{{ .Values.flytescheduler.image.repository }}:{{ .Values.flytescheduler.image.tag }}" imagePullPolicy: "{{ .Values.flytescheduler.image.pullPolicy }}" name: flytescheduler-check + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }} - mountPath: /etc/flyte/config name: config-volume @@ -65,6 +72,10 @@ spec: name: flytescheduler ports: - containerPort: {{ .Values.configmap.schedulerConfig.scheduler.profilerPort }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: {{- toYaml .Values.flytescheduler.resources | nindent 10 }} volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }} - mountPath: /etc/flyte/config diff --git a/charts/flyte-core/templates/propeller/webhook.yaml b/charts/flyte-core/templates/propeller/webhook.yaml index 0b1c725af8..9a1f279350 100644 --- a/charts/flyte-core/templates/propeller/webhook.yaml +++ b/charts/flyte-core/templates/propeller/webhook.yaml @@ -37,8 +37,11 @@ spec: spec: securityContext: fsGroup: 65534 + runAsNonRoot: true runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t serviceAccountName: {{ template "flyte-pod-webhook.name" . }} {{- if .Values.webhook.enabled }} initContainers: @@ -66,6 +69,10 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} {{- end }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config @@ -96,6 +103,10 @@ spec: {{- end }} ports: - containerPort: 9443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config diff --git a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml index a0aebff495..b6adaab5d6 100644 --- a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml +++ b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml @@ -857,9 +857,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flyteadmin @@ -870,6 +873,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: run-migrations + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -887,6 +894,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: seed-projects + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -901,6 +912,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: sync-cluster-resources + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -918,6 +933,10 @@ spec: [ "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", ] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config name: base-config-volume @@ -959,6 +978,10 @@ spec: cpu: 50m ephemeral-storage: 200Mi memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -1085,8 +1108,11 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true runAsUser: 1000 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t containers: - image: "cr.flyte.org/flyteorg/flyteconsole:v1.10.2" imagePullPolicy: "IfNotPresent" @@ -1096,6 +1122,10 @@ spec: name: flyte-console-config ports: - containerPort: 8080 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m @@ -1145,9 +1175,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 1001 runAsUser: 1001 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t initContainers: - command: - datacatalog @@ -1163,6 +1196,10 @@ spec: name: db-pass - mountPath: /etc/datacatalog/config name: config-volume + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] containers: - command: - datacatalog @@ -1176,6 +1213,10 @@ spec: - containerPort: 8088 - containerPort: 8089 - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 1 @@ -1314,8 +1355,11 @@ spec: spec: securityContext: fsGroup: 65534 + runAsNonRoot: true runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets @@ -1337,6 +1381,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config @@ -1361,6 +1409,10 @@ spec: fieldPath: metadata.namespace ports: - containerPort: 9443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config diff --git a/deployment/eks/flyte_helm_controlplane_generated.yaml b/deployment/eks/flyte_helm_controlplane_generated.yaml index be8b442371..8b17155aa1 100644 --- a/deployment/eks/flyte_helm_controlplane_generated.yaml +++ b/deployment/eks/flyte_helm_controlplane_generated.yaml @@ -563,9 +563,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flyteadmin @@ -576,6 +579,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: run-migrations + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -593,6 +600,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: seed-projects + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -607,6 +618,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: sync-cluster-resources + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -624,6 +639,10 @@ spec: [ "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", ] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config name: base-config-volume @@ -665,6 +684,10 @@ spec: cpu: 50m ephemeral-storage: 200Mi memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -791,8 +814,11 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true runAsUser: 1000 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t containers: - image: "cr.flyte.org/flyteorg/flyteconsole:v1.10.2" imagePullPolicy: "IfNotPresent" @@ -802,6 +828,10 @@ spec: name: flyte-console-config ports: - containerPort: 8080 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m @@ -851,9 +881,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 1001 runAsUser: 1001 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t initContainers: - command: - datacatalog @@ -869,6 +902,10 @@ spec: name: db-pass - mountPath: /etc/datacatalog/config name: config-volume + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] containers: - command: - datacatalog @@ -882,6 +919,10 @@ spec: - containerPort: 8088 - containerPort: 8089 - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 1 @@ -942,9 +983,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flytescheduler @@ -954,6 +998,10 @@ spec: image: "cr.flyte.org/flyteorg/flytescheduler:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: flytescheduler-check + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -972,6 +1020,10 @@ spec: name: flytescheduler ports: - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m diff --git a/deployment/eks/flyte_helm_dataplane_generated.yaml b/deployment/eks/flyte_helm_dataplane_generated.yaml index 5fa5c09498..52b14a1b6e 100644 --- a/deployment/eks/flyte_helm_dataplane_generated.yaml +++ b/deployment/eks/flyte_helm_dataplane_generated.yaml @@ -513,8 +513,11 @@ spec: spec: securityContext: fsGroup: 65534 + runAsNonRoot: true runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets @@ -536,6 +539,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config @@ -560,6 +567,10 @@ spec: fieldPath: metadata.namespace ports: - containerPort: 9443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config diff --git a/deployment/eks/flyte_helm_generated.yaml b/deployment/eks/flyte_helm_generated.yaml index 1b84af16a5..fa8a6387b3 100644 --- a/deployment/eks/flyte_helm_generated.yaml +++ b/deployment/eks/flyte_helm_generated.yaml @@ -888,9 +888,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flyteadmin @@ -901,6 +904,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: run-migrations + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -918,6 +925,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: seed-projects + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -932,6 +943,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: sync-cluster-resources + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -949,6 +964,10 @@ spec: [ "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", ] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config name: base-config-volume @@ -990,6 +1009,10 @@ spec: cpu: 50m ephemeral-storage: 200Mi memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -1116,8 +1139,11 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true runAsUser: 1000 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t containers: - image: "cr.flyte.org/flyteorg/flyteconsole:v1.10.2" imagePullPolicy: "IfNotPresent" @@ -1127,6 +1153,10 @@ spec: name: flyte-console-config ports: - containerPort: 8080 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m @@ -1176,9 +1206,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 1001 runAsUser: 1001 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t initContainers: - command: - datacatalog @@ -1194,6 +1227,10 @@ spec: name: db-pass - mountPath: /etc/datacatalog/config name: config-volume + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] containers: - command: - datacatalog @@ -1207,6 +1244,10 @@ spec: - containerPort: 8088 - containerPort: 8089 - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 1 @@ -1267,9 +1308,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flytescheduler @@ -1279,6 +1323,10 @@ spec: image: "cr.flyte.org/flyteorg/flytescheduler:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: flytescheduler-check + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -1297,6 +1345,10 @@ spec: name: flytescheduler ports: - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m @@ -1433,8 +1485,11 @@ spec: spec: securityContext: fsGroup: 65534 + runAsNonRoot: true runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets @@ -1456,6 +1511,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config @@ -1480,6 +1539,10 @@ spec: fieldPath: metadata.namespace ports: - containerPort: 9443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config diff --git a/deployment/gcp/flyte_helm_controlplane_generated.yaml b/deployment/gcp/flyte_helm_controlplane_generated.yaml index d9ea49361c..96f6427fb6 100644 --- a/deployment/gcp/flyte_helm_controlplane_generated.yaml +++ b/deployment/gcp/flyte_helm_controlplane_generated.yaml @@ -578,9 +578,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flyteadmin @@ -591,6 +594,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: run-migrations + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -608,6 +615,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: seed-projects + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -622,6 +633,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: sync-cluster-resources + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -639,6 +654,10 @@ spec: [ "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", ] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config name: base-config-volume @@ -680,6 +699,10 @@ spec: cpu: 500m ephemeral-storage: 2Gi memory: 1G + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -806,8 +829,11 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true runAsUser: 1000 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t containers: - image: "cr.flyte.org/flyteorg/flyteconsole:v1.10.2" imagePullPolicy: "IfNotPresent" @@ -817,6 +843,10 @@ spec: name: flyte-console-config ports: - containerPort: 8080 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m @@ -866,9 +896,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 1001 runAsUser: 1001 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t initContainers: - command: - datacatalog @@ -884,6 +917,10 @@ spec: name: db-pass - mountPath: /etc/datacatalog/config name: config-volume + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] containers: - command: - datacatalog @@ -897,6 +934,10 @@ spec: - containerPort: 8088 - containerPort: 8089 - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 500m @@ -957,9 +998,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flytescheduler @@ -969,6 +1013,10 @@ spec: image: "cr.flyte.org/flyteorg/flytescheduler:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: flytescheduler-check + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -987,6 +1035,10 @@ spec: name: flytescheduler ports: - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m diff --git a/deployment/gcp/flyte_helm_dataplane_generated.yaml b/deployment/gcp/flyte_helm_dataplane_generated.yaml index b7cd4932ae..0e7b6af3fe 100644 --- a/deployment/gcp/flyte_helm_dataplane_generated.yaml +++ b/deployment/gcp/flyte_helm_dataplane_generated.yaml @@ -520,8 +520,11 @@ spec: spec: securityContext: fsGroup: 65534 + runAsNonRoot: true runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets @@ -543,6 +546,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config @@ -567,6 +574,10 @@ spec: fieldPath: metadata.namespace ports: - containerPort: 9443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config diff --git a/deployment/gcp/flyte_helm_generated.yaml b/deployment/gcp/flyte_helm_generated.yaml index f6ae64796f..0031523dd7 100644 --- a/deployment/gcp/flyte_helm_generated.yaml +++ b/deployment/gcp/flyte_helm_generated.yaml @@ -911,9 +911,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flyteadmin @@ -924,6 +927,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: run-migrations + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -941,6 +948,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: seed-projects + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -955,6 +966,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: sync-cluster-resources + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -972,6 +987,10 @@ spec: [ "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", ] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config name: base-config-volume @@ -1013,6 +1032,10 @@ spec: cpu: 500m ephemeral-storage: 2Gi memory: 1G + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -1139,8 +1162,11 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true runAsUser: 1000 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t containers: - image: "cr.flyte.org/flyteorg/flyteconsole:v1.10.2" imagePullPolicy: "IfNotPresent" @@ -1150,6 +1176,10 @@ spec: name: flyte-console-config ports: - containerPort: 8080 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m @@ -1199,9 +1229,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 1001 runAsUser: 1001 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t initContainers: - command: - datacatalog @@ -1217,6 +1250,10 @@ spec: name: db-pass - mountPath: /etc/datacatalog/config name: config-volume + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] containers: - command: - datacatalog @@ -1230,6 +1267,10 @@ spec: - containerPort: 8088 - containerPort: 8089 - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 500m @@ -1290,9 +1331,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flytescheduler @@ -1302,6 +1346,10 @@ spec: image: "cr.flyte.org/flyteorg/flytescheduler:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: flytescheduler-check + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/db name: db-pass @@ -1320,6 +1368,10 @@ spec: name: flytescheduler ports: - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m @@ -1455,8 +1507,11 @@ spec: spec: securityContext: fsGroup: 65534 + runAsNonRoot: true runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets @@ -1478,6 +1533,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config @@ -1502,6 +1561,10 @@ spec: fieldPath: metadata.namespace ports: - containerPort: 9443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config diff --git a/deployment/sandbox/flyte_helm_generated.yaml b/deployment/sandbox/flyte_helm_generated.yaml index f5e26ef0bb..3a9c79f725 100644 --- a/deployment/sandbox/flyte_helm_generated.yaml +++ b/deployment/sandbox/flyte_helm_generated.yaml @@ -6694,9 +6694,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flyteadmin @@ -6707,6 +6710,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: run-migrations + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config @@ -6723,6 +6730,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: seed-projects + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config @@ -6736,6 +6747,10 @@ spec: image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: sync-cluster-resources + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/clusterresource/templates @@ -6752,6 +6767,10 @@ spec: [ "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", ] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config name: base-config-volume @@ -6793,6 +6812,10 @@ spec: cpu: 10m ephemeral-storage: 50Mi memory: 50Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /srv/flyte @@ -6906,8 +6929,11 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true runAsUser: 1000 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t containers: - image: "cr.flyte.org/flyteorg/flyteconsole:v1.10.2" imagePullPolicy: "IfNotPresent" @@ -6922,6 +6948,10 @@ spec: value: "true" - name: GA_TRACKING_ID value: "G-0QW4DJWJ20" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 500m @@ -6964,9 +6994,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 1001 runAsUser: 1001 fsGroupChangePolicy: "OnRootMismatch" + seLinuxOptions: + type: spc_t initContainers: - command: - datacatalog @@ -6981,6 +7014,10 @@ spec: - mountPath: /etc/datacatalog/config name: config-volume + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] containers: - command: - datacatalog @@ -6994,6 +7031,10 @@ spec: - containerPort: 8088 - containerPort: 8089 - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 500m @@ -7044,9 +7085,12 @@ spec: app.kubernetes.io/managed-by: Helm spec: securityContext: + runAsNonRoot: true fsGroup: 65534 runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t initContainers: - command: - flytescheduler @@ -7056,6 +7100,10 @@ spec: image: "cr.flyte.org/flyteorg/flytescheduler:v1.10.7-b4" imagePullPolicy: "IfNotPresent" name: flytescheduler-check + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - mountPath: /etc/flyte/config @@ -7073,6 +7121,10 @@ spec: name: flytescheduler ports: - containerPort: 10254 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] resources: limits: cpu: 250m @@ -7198,8 +7250,11 @@ spec: spec: securityContext: fsGroup: 65534 + runAsNonRoot: true runAsUser: 1001 fsGroupChangePolicy: "Always" + seLinuxOptions: + type: spc_t serviceAccountName: flyte-pod-webhook initContainers: - name: generate-secrets @@ -7221,6 +7276,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config @@ -7245,6 +7304,10 @@ spec: fieldPath: metadata.namespace ports: - containerPort: 9443 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] volumeMounts: - name: config-volume mountPath: /etc/flyte/config