Kubernetes simcore: add pod security standard (#1139)

* Kubernetes simcore: add pod security standard

Ensure baseline policy and warn on restricted policy violations. The k8s
way to add pod security standard, is to add labels to the namespace. The
adding labels to namespace is achieved via helmfile hooks.

Add helpful defaults for pod & container security context to ensure
minimal privileges.

WARNING: if deployed pod does not conform with baseline policy, it
SILENTLY won't be scheduled. To see warnings / errors execute `kubectl
-n simcore events'

* #1137

* Improve security readme

Author: YuryHrytsuk

charts/SECURITY.md

@@ -0,0 +1,17 @@
+# Security
+
+This file documents security measures and their configuration in current code base
+
+## Application developer
+
+Full list: https://kubernetes.io/docs/concepts/security/application-security-checklist/
+
+#### Pod-level securityContext recommendations
+
+Enable pod security standard on namespace level:
+* create namespace with labels (examples and explanations https://aro-labs.com/pod-security-standards/)
+* configure pod and container security context to satisfy security standards (read more https://medium.com/dynatrace-engineering/kubernetes-security-part-3-security-context-7d44862c4cfa)
+
+## Cluster / OPS developers
+
+Full list: https://kubernetes.io/docs/concepts/security/security-checklist/

charts/simcore-charts/common-helpers/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
+version: 0.0.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/simcore-charts/common-helpers/templates/_helpers.tpl

@@ -72,3 +72,36 @@ data:
   {{- end }}
 {{- end }}
 {{- end -}}
+
+{{/*
+
+Usage:
+{{- include "common-helpers.defaultPodSecurityContext" . | nindent 0 }}
+
+Defines a common pod security context to ensure minimal privileges for containers.
+
+Values inspired from https://medium.com/dynatrace-engineering/kubernetes-security-part-3-security-context-7d44862c4cfa
+*/}}
+{{- define "common-helpers.defaultPodSecurityContext" -}}
+runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+{{- end -}}
+
+{{/*
+
+Usage:
+{{- include "common-helpers.defaultContainerSecurityContext" . | nindent 0 }}
+
+Defines a common container security context to ensure minimal privileges for containers.
+
+Values inspired from https://medium.com/dynatrace-engineering/kubernetes-security-part-3-security-context-7d44862c4cfa
+*/}}
+{{- define "common-helpers.defaultContainerSecurityContext" -}}
+privileged: false
+readOnlyRootFilesystem: true
+allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+{{- end -}}

charts/simcore-charts/namespace.yaml

@@ -0,0 +1,16 @@
+# namespace with defined pod security standard
+# inspired from https://aro-labs.com/pod-security-standards/
+# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+#
+# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently)
+# execute `kubectl -n <namespace> events` to see errors (e.g.)
+#   Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged
+#   container "xyz" must not set securityContext.privileged to true
+#
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: simcore
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted

charts/simcore-charts/resource-usage-tracker/Chart.yaml

@@ -4,7 +4,7 @@ description: A Helm chart for Kubernetes
 
 dependencies:
   - name: common-helpers
-    version: 0.0.1
+    version: 0.0.2
     repository: "file://../common-helpers"
 
 # A chart can be either an 'application' or a 'library' chart.
@@ -20,7 +20,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
+version: 0.0.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/simcore-charts/resource-usage-tracker/templates/deployment.yaml

@@ -29,11 +29,19 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "resource-usage-tracker.serviceAccountName" . }}
       securityContext:
+      {{- if .Values.podSecurityContext }}
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- else }}
+        {{- include "common-helpers.defaultPodSecurityContext" . | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
+          {{- if .Values.securityContext }}
             {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- else }}
+            {{- include "common-helpers.defaultContainerSecurityContext" . | nindent 12 }}
+          {{- end }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:

charts/simcore-charts/resource-usage-tracker/values.yaml.gotmpl

@@ -28,16 +28,12 @@ serviceAccount:
 podAnnotations: {}
 podLabels: {}
 
-podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+podSecurityContext:
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  privileged: false
 
 service:
   type: ClusterIP