huanld/speckle-server
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(helm chart): add SecurityContext to pods and containers (#917)

Browse Source 
* feat(helm chart): add SecurityContext to pods and containers

Speckle pods should run with minimal privileges and capabilities to function.

Fix https://github.com/specklesystems/speckle-server/issues/857

* Update securityContext for all pods

* frontend runs as nonroot and readonly root filesystem

- set fsgroup for all pods with volumes

* Frontend requires write directory at /etc/nginx/conf.d

* Allow openresty log directory to be writable

* feat(helm local test): add test container into the make script

Co-authored-by: Gergő Jedlicska <gergo@jedlicska.com>
This commit is contained in:
Iain Sproat
2022-08-15 13:20:19 +01:00
committed by GitHub
parent 6cbe32d8cd
commit 65a00dca2e
9 changed files with 195 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/frontend/nginx/templates/nginx.conf.template
+9 -1
View File
@@ -56,11 +56,19 @@ set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;
server {
listen 80;
client_max_body_size 100m;
# move default write paths to a custom directory
# kubernetes can mount this directory and prevent writes to the root directory
# https://github.com/openresty/docker-openresty/issues/119
client_body_temp_path /var/run/openresty/nginx-client-body;
proxy_temp_path /var/run/openresty/nginx-proxy;
fastcgi_temp_path /var/run/openresty/nginx-fastcgi;
uwsgi_temp_path /var/run/openresty/nginx-uwsgi;
scgi_temp_path /var/run/openresty/nginx-scgi;
location / {
root /usr/share/nginx/html;
index app.html;
utils/helm/Makefile
+2
View File
@@ -7,6 +7,7 @@ build:
cd ../.. && docker build -t speckle/speckle-webhook-service:local -f packages/webhook-service/Dockerfile .
cd ../.. && docker build -t speckle/speckle-fileimport-service:local -f packages/fileimport-service/Dockerfile .
cd ../.. && docker build -t speckle/speckle-monitor-deployment:local -f utils/monitor-deployment/Dockerfile .
cd ../.. && docker build -t speckle/speckle-test-deployment:local -f utils/test-deployment/Dockerfile .
echo "Making locally built images available inside minikube cluster. This takes a bit to copy, unfortunately..."
@@ -16,6 +17,7 @@ build:
minikube image load speckle/speckle-webhook-service:local
minikube image load speckle/speckle-fileimport-service:local
minikube image load speckle/speckle-monitor-deployment:local
minikube image load speckle/speckle-test-deployment:local
install:
utils/helm/speckle-server/templates/fileimport_service/deployment.yml
+25 -2
View File
@@ -44,8 +44,20 @@ spec:
cpu: {{ .Values.fileimport_service.limits.cpu }}
memory: {{ .Values.fileimport_service.limits.memory }}
{{- if .Values.db.useCertificate }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 20000
volumeMounts:
- mountPath: /tmp
name: tmp
{{- if .Values.db.useCertificate }}
- name: postgres-certificate
mountPath: /postgres-certificate
{{- end }}
@@ -84,10 +96,21 @@ spec:
- name: FILE_IMPORT_TIME_LIMIT_MIN
value: {{ .Values.fileimport_service.time_limit_min | quote }}
securityContext:
runAsNonRoot: true
runAsUser: 20000
fsGroup: 25000
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 30000
seccompProfile:
type: RuntimeDefault
priorityClassName: low-priority
{{- if .Values.db.useCertificate }}
volumes:
- name: tmp
emptyDir: {}
{{- if .Values.db.useCertificate }}
- name: postgres-certificate
configMap:
name: postgres-certificate
utils/helm/speckle-server/templates/frontend/deployment.yml
+45
View File
@@ -34,6 +34,18 @@ spec:
cpu: {{ .Values.frontend.limits.cpu }}
memory: {{ .Values.frontend.limits.memory }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 20000
# Allow for k8s to remove the pod from the service endpoints to stop receive traffic
lifecycle:
preStop:
@@ -51,4 +63,37 @@ spec:
- name: FILE_SIZE_LIMIT_MB
value: {{ .Values.file_size_limit_mb | quote }}
volumeMounts:
- mountPath: /var/cache/nginx
name: nginx-cache
- mountPath: /tmp/nginx
name: nginx-tmp
- mountPath: /etc/nginx/conf.d
name: nginx-confd
- mountPath: /usr/local/openresty/nginx/logs
name: openresty-logs
- mountPath: /var/run/openresty
name: openresty-tmp
priorityClassName: high-priority
securityContext:
runAsNonRoot: true
runAsUser: 20000
fsGroup: 25000
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 30000
seccompProfile:
type: RuntimeDefault
volumes:
- name: nginx-cache
emptyDir: {}
- name: nginx-confd
emptyDir: {}
- name: nginx-tmp
emptyDir: {}
- name: openresty-logs
emptyDir: {}
- name: openresty-tmp
emptyDir: {}
utils/helm/speckle-server/templates/monitoring/deployment.yml
+18
View File
@@ -34,6 +34,15 @@ spec:
cpu: {{ .Values.monitoring.limits.cpu }}
memory: {{ .Values.monitoring.limits.memory }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 20000
{{- if .Values.db.useCertificate }}
volumeMounts:
@@ -55,6 +64,15 @@ spec:
priorityClassName: low-priority
securityContext:
runAsNonRoot: true
runAsUser: 20000
fsGroup: 25000
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 30000
seccompProfile:
type: RuntimeDefault
{{- if .Values.db.useCertificate }}
volumes:
- name: postgres-certificate
utils/helm/speckle-server/templates/preview_service/deployment.yml
+25 -2
View File
@@ -43,8 +43,20 @@ spec:
cpu: {{ .Values.preview_service.limits.cpu }}
memory: {{ .Values.preview_service.limits.memory }}
{{- if .Values.db.useCertificate }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 20000
volumeMounts:
- mountPath: /tmp
name: tmp
{{- if .Values.db.useCertificate }}
- name: postgres-certificate
mountPath: /postgres-certificate
{{- end }}
@@ -66,11 +78,22 @@ spec:
priorityClassName: low-priority
securityContext:
runAsNonRoot: true
runAsUser: 20000
fsGroup: 25000
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 30000
seccompProfile:
type: RuntimeDefault
# Should be > preview generation time ( 1 hour for good measure )
terminationGracePeriodSeconds: 3600
{{- if .Values.db.useCertificate }}
volumes:
- name: tmp
emptyDir: {}
{{- if .Values.db.useCertificate }}
- name: postgres-certificate
configMap:
name: postgres-certificate
utils/helm/speckle-server/templates/server/deployment.yml
+28 -4
View File
@@ -34,10 +34,22 @@ spec:
cpu: {{ .Values.server.limits.cpu }}
memory: {{ .Values.server.limits.memory }}
{{- if .Values.db.useCertificate }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 20000
volumeMounts:
- name: postgres-certificate
mountPath: /postgres-certificate
- mountPath: /tmp
name: tmp
{{- if .Values.db.useCertificate }}
- name: postgres-certificate
mountPath: /postgres-certificate
{{- end }}
# Allow for k8s to remove the pod from the service endpoints to stop receive traffic
@@ -242,9 +254,21 @@ spec:
key: apollo_key
{{- end }}
priorityClassName: high-priority
securityContext:
runAsNonRoot: true
runAsUser: 20000
fsGroup: 25000
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 30000
seccompProfile:
type: RuntimeDefault
terminationGracePeriodSeconds: 310
{{- if .Values.db.useCertificate }}
volumes:
- name: tmp
emptyDir: {}
{{- if .Values.db.useCertificate }}
- name: postgres-certificate
configMap:
name: postgres-certificate
utils/helm/speckle-server/templates/test/deployment.yml
+18
View File
@@ -24,5 +24,23 @@ spec:
limits:
cpu: {{ .Values.test.limits.cpu }}
memory: {{ .Values.test.limits.memory }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 20000
restartPolicy: Never
securityContext:
runAsNonRoot: true
runAsUser: 20000
runAsGroup: 30000
seccompProfile:
type: RuntimeDefault
{{- end }}
utils/helm/speckle-server/templates/webhook_service/deployment.yml
+25 -2
View File
@@ -43,8 +43,20 @@ spec:
cpu: {{ .Values.webhook_service.limits.cpu }}
memory: {{ .Values.webhook_service.limits.memory }}
{{- if .Values.db.useCertificate }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 20000
volumeMounts:
- mountPath: /tmp
name: tmp
{{- if .Values.db.useCertificate }}
- name: postgres-certificate
mountPath: /postgres-certificate
{{- end }}
@@ -66,11 +78,22 @@ spec:
priorityClassName: low-priority
securityContext:
runAsNonRoot: true
runAsUser: 20000
fsGroup: 25000
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 30000
seccompProfile:
type: RuntimeDefault
# Should be > webhook max call time ( ~= 10 seconds )
terminationGracePeriodSeconds: 30
{{- if .Values.db.useCertificate }}
volumes:
- name: tmp
emptyDir: {}
{{- if .Values.db.useCertificate }}
- name: postgres-certificate
configMap:
name: postgres-certificate