Apply PSS changes (#77)

giantswarm · Aug 29, 2023 · 9596cf5 · 9596cf5
1 parent 325d8c5
commit 9596cf5
Show file tree

Hide file tree

Showing 11 changed files with 189 additions and 43 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Make PSPs optional since they are deprecated since k8s 1.25 (still enabled by default).
+- Add use of runtime/default seccomp profile.
+- Fix issues reported by kyverno policies. 
+
 ## [0.10.1] - 2023-07-28
 
 ### Added

diff --git a/Makefile.custom.mk b/Makefile.custom.mk
@@ -11,9 +11,11 @@ OS ?= $(shell go env GOOS 2>/dev/null || echo linux)
 ARCH ?= $(shell go env GOARCH 2>/dev/null || echo amd64)
 KUSTOMIZE := ./bin/kustomize
 KUSTOMIZE_VERSION ?= v4.5.7
+yq = ./bin/yq
+YQ_VERSION := 4.31.2
 
 .PHONY: all
-all: fetch-upstream-manifest apply-kustomize-patches delete-generated-helm-charts release-manifests ## Builds the manifests to publish with a release (alias to release-manifests)
+all: fetch-upstream-manifest apply-kustomize-patches apply-custom-patches delete-generated-helm-charts release-manifests ## Builds the manifests to publish with a release (alias to release-manifests)
 
 .PHONY: fetch-upstream-manifest
 fetch-upstream-manifest: ## fetch upstream manifest from
@@ -24,6 +26,10 @@ fetch-upstream-manifest: ## fetch upstream manifest from
 apply-kustomize-patches: $(KUSTOMIZE) ## apply giantswarm specific patches
 	$(KUSTOMIZE) build config/kustomize -o config/kustomize/tmp
 
+.PHONY: apply-custom-patches
+apply-custom-patches: $(YQ) ## apply giantswarm specific patches that are not possible via kustomize
+	./hack/custom-patches.sh ${APPLICATION_NAME} "./bin/yq"
+
 #.PHONY: delete-generated-helm-charts
 delete-generated-helm-charts: # clean workspace and delete manifests
 	@rm -rvf ./helm/${APPLICATION_NAME}/templates/*.yaml
@@ -40,3 +46,9 @@ $(KUSTOMIZE): ## Download kustomize locally if necessary.
 	curl -sfL "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2F$(KUSTOMIZE_VERSION)/kustomize_$(KUSTOMIZE_VERSION)_$(OS)_$(ARCH).tar.gz" | tar zxv -C $(dir $@)
 	chmod +x $@
 	@echo "kustomize downloaded"
+
+download-yq: ## Download yq locally if necessary.
+	@echo "====> yq"
+	curl -sfL https://github.com/mikefarah/yq/releases/download/v$(YQ_VERSION)/yq_$(OS)_$(ARCH) > ./bin/yq
+	chmod +x ./bin/yq
+	@echo "yq downloaded"
diff --git a/hack/custom-patches.sh b/hack/custom-patches.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -x
+YQ=${2:-./bin/yq}
+# ${1} is the given application-name from make (cluster-api-provider-vsphere)
+# ${2} is path to yq
+
+f="config/kustomize/tmp/apps_v1_deployment_capv-controller-manager.yaml"
+${YQ} e '.spec.template.spec.securityContext.remove-this-key="'"
+{{- with .Values.podSecurityContext }}
+  {{- . | toYaml | nindent 8 }}
+{{- end }}
+"'" | .spec.template.spec.containers[].securityContext.remove-this-key="'"
+{{- with .Values.securityContext }}
+	{{- . | toYaml | nindent 12 }}
+{{- end }}
+"'"' ${f} > ${f}.tmp
+cat ${f}.tmp | grep -v 'remove-this-key' > ${f}
+rm -rf ${f}.tmp
diff --git a/helm/cluster-api-provider-vsphere/templates/apps_v1_deployment_capv-controller-manager.yaml b/helm/cluster-api-provider-vsphere/templates/apps_v1_deployment_capv-controller-manager.yaml
@@ -26,49 +26,57 @@ spec:
         control-plane: controller-manager
     spec:
       containers:
-      - args:
-        - --leader-elect
-        - --logtostderr
-        - --v=6
-        - --feature-gates=NodeAntiAffinity=false,NodeLabeling=false
-        image: '{{.Values.image.name}}:{{.Values.image.tag}}'
-        imagePullPolicy: IfNotPresent
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: healthz
-        name: manager
-        ports:
-        - containerPort: 9443
-          name: webhook-server
-          protocol: TCP
-        - containerPort: 9440
-          name: healthz
-          protocol: TCP
-        readinessProbe:
-          httpGet:
-            path: /readyz
-            port: healthz
-        resources:
-          limits:
-            cpu: '{{ .Values.resources.limits.cpu }}'
-            memory: '{{ .Values.resources.limits.memory }}'
-          requests:
-            cpu: '{{ .Values.resources.requests.cpu }}'
-            memory: '{{ .Values.resources.requests.memory }}'
-        volumeMounts:
-        - mountPath: /tmp/k8s-webhook-server/serving-certs
-          name: cert
-          readOnly: true
+        - args:
+            - --leader-elect
+            - --logtostderr
+            - --v=6
+            - --feature-gates=NodeAntiAffinity=false,NodeLabeling=false
+          image: '{{.Values.image.name}}:{{.Values.image.tag}}'
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: healthz
+          name: manager
+          ports:
+            - containerPort: 9443
+              name: webhook-server
+              protocol: TCP
+            - containerPort: 9440
+              name: healthz
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: healthz
+          resources:
+            limits:
+              cpu: '{{ .Values.resources.limits.cpu }}'
+              memory: '{{ .Values.resources.limits.memory }}'
+            requests:
+              cpu: '{{ .Values.resources.requests.cpu }}'
+              memory: '{{ .Values.resources.requests.memory }}'
+          volumeMounts:
+            - mountPath: /tmp/k8s-webhook-server/serving-certs
+              name: cert
+              readOnly: true
+          securityContext:
+              {{- with .Values.securityContext }}
+              	{{- . | toYaml | nindent 12 }}
+              {{- end }}
       priorityClassName: '{{ .Values.priorityClass }}'
       serviceAccountName: capv-controller-manager
       terminationGracePeriodSeconds: 10
       tolerations:
-      - effect: NoSchedule
-        key: node-role.kubernetes.io/control-plane
-        operator: Exists
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Exists
       volumes:
-      - name: cert
-        secret:
-          defaultMode: 420
-          secretName: capv-webhook-server-cert
+        - name: cert
+          secret:
+            defaultMode: 420
+            secretName: capv-webhook-server-cert
+      securityContext:
+          {{- with .Values.podSecurityContext }}
+            {{- . | toYaml | nindent 8 }}
+          {{- end }}
diff --git a/helm/cluster-api-provider-vsphere/templates/crd-install/crd-job.yaml b/helm/cluster-api-provider-vsphere/templates/crd-install/crd-job.yaml
@@ -23,6 +23,9 @@ spec:
       securityContext:
         runAsUser: 1000
         runAsGroup: 2000
+        {{- with .Values.podSecurityContext }}
+          {{- . | toYaml | nindent 8 }}
+        {{- end }}
       tolerations:
       - key: node-role.kubernetes.io/master
         effect: NoSchedule
@@ -41,6 +44,9 @@ spec:
           kubectl apply -f /data/ 2>&1
         securityContext:
           readOnlyRootFilesystem: true
+          {{- with .Values.securityContext }}
+            {{- . | toYaml | nindent 10 }}
+          {{- end }}
         volumeMounts:
 {{- range $path, $_ := .Files.Glob "files/**" }}
         - name: {{ $path | base | trimSuffix ".yaml" }}

diff --git a/helm/cluster-api-provider-vsphere/templates/crd-install/crd-psp.yaml b/helm/cluster-api-provider-vsphere/templates/crd-install/crd-psp.yaml
@@ -1,11 +1,13 @@
 {{- if .Values.crdInstall.enable }}
+{{- if .Values.psps.install }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ include "crdInstall" . }}
   annotations:
     # create hook dependencies in the right order
     "helm.sh/hook-weight": "-6"
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
     {{- include "crdInstallAnnotations" . | nindent 4 }}
   labels:
     app.kubernetes.io/component: {{ include "crdInstall" . | quote }}
@@ -33,4 +35,5 @@ spec:
       - min: 1
         max: 65535
   readOnlyRootFilesystem: false
-{{- end }}
+{{- end }}
+{{- end }}
diff --git a/helm/cluster-api-provider-vsphere/templates/crd-install/crd-rbac.yaml b/helm/cluster-api-provider-vsphere/templates/crd-install/crd-rbac.yaml
@@ -29,6 +29,7 @@ rules:
   - delete
   - get
   - patch
+{{- if .Values.psps.install }}
 - apiGroups:
   - policy
   resources:
@@ -37,6 +38,7 @@ rules:
   - {{ include "crdInstall" . }}
   verbs:
   - use
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

diff --git a/helm/cluster-api-provider-vsphere/templates/psp/psp-rbac.yaml b/helm/cluster-api-provider-vsphere/templates/psp/psp-rbac.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.psps.install }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: capv-controller-manager-psp
+  labels:
+  {{- include "labels.common" . | nindent 4 }}
+rules:
+- apiGroups:
+  - extensions
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - capv-controller-manager-psp
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: capv-controller-manager-psp
+  labels:
+  {{- include "labels.common" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: capv-controller-manager
+  namespace: '{{ .Release.Namespace }}'
+roleRef:
+  kind: ClusterRole
+  name: capv-controller-manager-psp
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/helm/cluster-api-provider-vsphere/templates/psp/psp.yaml b/helm/cluster-api-provider-vsphere/templates/psp/psp.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.psps.install }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: capv-controller-manager-psp
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
+  labels:
+    {{- include "labels.common" . | nindent 4 }}
+spec:
+  privileged: false
+  fsGroup:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
+  runAsUser:
+    rule: MustRunAsNonRoot
+  runAsGroup:
+    rule: MustRunAs
+    ranges:
+      - min: 1
+        max: 65535
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  allowPrivilegeEscalation: false
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+{{- end }}
diff --git a/helm/cluster-api-provider-vsphere/values.schema.json b/helm/cluster-api-provider-vsphere/values.schema.json
@@ -43,6 +43,14 @@
         }
       }
     },
+    "psps": {
+      "type": "object",
+      "properties": {
+          "install": {
+              "type": "boolean"
+          }
+      }
+    },
     "image": {
       "type": "object",
       "properties": {

diff --git a/helm/cluster-api-provider-vsphere/values.yaml b/helm/cluster-api-provider-vsphere/values.yaml
@@ -32,3 +32,21 @@ serviceMonitor:
   interval: "60s"
   # -- (duration) Prometheus scrape timeout.
   scrapeTimeout: "45s"
+
+# Add seccomp to pod security context
+podSecurityContext:
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+
+# Add seccomp to container security context
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+  seccompProfile:
+    type: RuntimeDefault
+
+psps:
+  install: true