Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Feat/adding pod and container security context (#750)

Browse source 
Allow the injector's pod- and container-level securityContext to be
fully specified by the user, via new options
`injector.securityContext.pod` and
`injector.securityContext.container` with more complete
defaults. Deprecates `injector.uid` and `injector.gid`.

If `injector.uid` or `injector.gid` are set by the user, the old pod
securityContext settings will be used. Otherwise the new defaults and
settings are used.

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
This commit is contained in:
ChrisFraun 2022-08-02 08:00:29 +02:00 committed by GitHub
parent 553af862ea
commit eb95ac5d20
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 156 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
templates/_helpers.tpl
View file

@ -470,6 +470,31 @@ Sets extra injector service annotations
{{- end }} {{- end }}
{{- end -}} {{- end -}}
{{/*
securityContext for the injector pod level.
*/}}
{{- define "injector.securityContext.pod" -}}
{{- if or (.Values.injector.uid) (.Values.injector.gid) }}
securityContext:
runAsNonRoot: true
runAsGroup: {{ .Values.injector.gid | default 1000 }}
runAsUser: {{ .Values.injector.uid | default 100 }}
{{- else if .Values.injector.securityContext.pod }}
securityContext:
{{- toYaml .Values.injector.securityContext.pod | nindent 8 }}
{{- end }}
{{- end -}}
{{/*
securityContext for the injector container level.
*/}}
{{- define "injector.securityContext.container" -}}
{{- if .Values.injector.securityContext.container}}
securityContext:
{{- toYaml .Values.injector.securityContext.container | nindent 12 }}
{{- end }}
{{- end -}}
{{/* {{/*
Sets extra injector service account annotations Sets extra injector service account annotations
*/}} */}}

8
templates/injector-deployment.yaml
View file

@ -40,10 +40,7 @@ spec:
serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector"
{{- if not .Values.global.openshift }} {{- if not .Values.global.openshift }}
hostNetwork: {{ .Values.injector.hostNetwork }} hostNetwork: {{ .Values.injector.hostNetwork }}
securityContext: {{ template "injector.securityContext.pod" . -}}
runAsNonRoot: true
runAsGroup: {{ .Values.injector.gid | default 1000 }}
runAsUser: {{ .Values.injector.uid | default 100 }}
{{- end }} {{- end }}
containers: containers:
- name: sidecar-injector - name: sidecar-injector
@ -51,8 +48,7 @@ spec:
image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}" image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}" imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
{{- if not .Values.global.openshift }} {{- if not .Values.global.openshift }}
securityContext: {{ template "injector.securityContext.container" . -}}
allowPrivilegeEscalation: false
{{- end }} {{- end }}
env: env:
- name: AGENT_INJECT_LISTEN - name: AGENT_INJECT_LISTEN

116
test/unit/injector-deployment.bats
View file

@ -363,6 +363,122 @@ load _helpers
[ "${value}" = "false" ] [ "${value}" = "false" ]
} }
#--------------------------------------------------------------------
# securityContext or pod and container
# for backward compatibility
@test "injector/deployment: backward pod securityContext" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'injector.uid=200' \
--set 'injector.gid=4000' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext' | tee /dev/stderr)
local value=$(echo $actual | yq -r .runAsUser | tee /dev/stderr)
[ "${value}" = "200" ]
local value=$(echo $actual | yq -r .runAsGroup | tee /dev/stderr)
[ "${value}" = "4000" ]
}
@test "injector/deployment: default pod securityContext" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-deployment.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext' | tee /dev/stderr)
[ "${actual}" != "null" ]
local value=$(echo $actual | yq -r .fsGroup | tee /dev/stderr)
[ "${value}" = "1000" ]
local value=$(echo $actual | yq -r .runAsGroup | tee /dev/stderr)
[ "${value}" = "1000" ]
local value=$(echo $actual | yq -r .runAsNonRoot | tee /dev/stderr)
[ "${value}" = "true" ]
local value=$(echo $actual | yq -r .runAsUser | tee /dev/stderr)
[ "${value}" = "100" ]
}
@test "injector/deployment: custom pod securityContext" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'injector.enabled=true' \
--set 'injector.securityContext.pod.runAsNonRoot=true' \
--set 'injector.securityContext.pod.runAsGroup=1001' \
--set 'injector.securityContext.pod.runAsUser=1001' \
--set 'injector.securityContext.pod.fsGroup=1000' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsGroup' | tee /dev/stderr)
[ "${actual}" = "1001" ]
local actual=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'injector.enabled=true' \
--set 'injector.securityContext.pod.runAsNonRoot=false' \
--set 'injector.securityContext.pod.runAsGroup=1000' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsNonRoot' | tee /dev/stderr)
[ "${actual}" = "false" ]
local actual=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'injector.enabled=true' \
--set 'injector.securityContext.pod.runAsUser=1001' \
--set 'injector.securityContext.pod.fsGroup=1000' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)
[ "${actual}" = "1001" ]
local actual=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'injector.enabled=true' \
--set 'injector.securityContext.pod.runAsNonRoot=true' \
--set 'injector.securityContext.pod.fsGroup=1001' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr)
[ "${actual}" = "1001" ]
}
@test "injector/deployment: default container securityContext sidecar-injector" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-deployment.yaml \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].securityContext' | tee /dev/stderr)
[ "${actual}" != "null" ]
local value=$(echo $actual | yq -r .allowPrivilegeEscalation | tee /dev/stderr)
[ "${value}" = "false" ]
local value=$(echo $actual | yq -r .capabilities.drop[0] | tee /dev/stderr)
[ "${value}" = "ALL" ]
}
@test "injector/deployment: custom container securityContext sidecar-injector" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'injector.enabled=true' \
--set 'injector.securityContext.container.privileged=true' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].securityContext.privileged' | tee /dev/stderr)
[ "${actual}" = "true" ]
local actual=$(helm template \
--show-only templates/injector-deployment.yaml \
--set 'injector.enabled=true' \
--set 'injector.securityContext.container.readOnlyRootFilesystem=false' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem' | tee /dev/stderr)
[ "${actual}" = "false" ]
}
#-------------------------------------------------------------------- #--------------------------------------------------------------------
# extraEnvironmentVars # extraEnvironmentVars

13
values.yaml
View file

@ -202,6 +202,19 @@ injector:
certName: tls.crt certName: tls.crt
keyName: tls.key keyName: tls.key
# Default pod and container security context for vault-injector
securityContext:
pod:
runAsNonRoot: true
runAsGroup: 1000
runAsUser: 100
fsGroup: 1000
container:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources: {} resources: {}
# resources: # resources:
# requests: # requests: