Kubernetes simcore: add pod security standard

charts/SECURITY.md

@@ -0,0 +1,17 @@
+# Security
+
+This file documents security measures and their configuration in current code base
+
+## Application developer
+
+Full list: https://kubernetes.io/docs/concepts/security/application-security-checklist/
+
+#### Pod-level securityContext recommendations
+
+Enable pod security standard on namespace level:
+* create namespace with labels (examples and explanations https://aro-labs.com/pod-security-standards/)
+* configure pod and container security context to satisfy security standards (read more https://medium.com/dynatrace-engineering/kubernetes-security-part-3-security-context-7d44862c4cfa)
+
+## Cluster / OPS developers
+
+Full list: https://kubernetes.io/docs/concepts/security/security-checklist/

charts/simcore-charts/common-helpers/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
+version: 0.0.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/simcore-charts/common-helpers/templates/_helpers.tpl

@@ -72,3 +72,36 @@ data:
   {{- end }}
 {{- end }}
 {{- end -}}
+
+{{/*
+
+Usage:
+{{- include "common-helpers.defaultPodSecurityContext" . | nindent 0 }}
+
+Defines a common pod security context to ensure minimal privileges for containers.
+
+Values inspired from https://medium.com/dynatrace-engineering/kubernetes-security-part-3-security-context-7d44862c4cfa
+*/}}
+{{- define "common-helpers.defaultPodSecurityContext" -}}
+runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+{{- end -}}
+
+{{/*
+
+Usage:
+{{- include "common-helpers.defaultContainerSecurityContext" . | nindent 0 }}
+
+Defines a common container security context to ensure minimal privileges for containers.
+
+Values inspired from https://medium.com/dynatrace-engineering/kubernetes-security-part-3-security-context-7d44862c4cfa
+*/}}
+{{- define "common-helpers.defaultContainerSecurityContext" -}}
+privileged: false
+readOnlyRootFilesystem: true
+allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+{{- end -}}

charts/simcore-charts/namespace.yaml

@@ -0,0 +1,16 @@
+# namespace with defined pod security standard
+# inspired from https://aro-labs.com/pod-security-standards/
+# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+#
+# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently)
+# execute `kubectl -n <namespace> events` to see errors (e.g.)
+#   Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged
+#   container "xyz" must not set securityContext.privileged to true
+#
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: simcore
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted

charts/simcore-charts/resource-usage-tracker/Chart.yaml

@@ -4,7 +4,7 @@ description: A Helm chart for Kubernetes
 
 dependencies:
   - name: common-helpers
-    version: 0.0.1
+    version: 0.0.2
     repository: "file://../common-helpers"
 
 # A chart can be either an 'application' or a 'library' chart.
@@ -20,7 +20,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
+version: 0.0.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/simcore-charts/resource-usage-tracker/templates/deployment.yaml

@@ -29,11 +29,19 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "resource-usage-tracker.serviceAccountName" . }}
       securityContext:
+      {{- if .Values.podSecurityContext }}
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- else }}
+        {{- include "common-helpers.defaultPodSecurityContext" . | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
+          {{- if .Values.securityContext }}
             {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- else }}
+            {{- include "common-helpers.defaultContainerSecurityContext" . | nindent 12 }}
+          {{- end }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:

charts/simcore-charts/resource-usage-tracker/values.yaml.gotmpl

@@ -28,16 +28,12 @@ serviceAccount:
 podAnnotations: {}
 podLabels: {}
 
-podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+podSecurityContext:
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  privileged: false
 
 service:
   type: ClusterIP