Merge remote-tracking branch 'origin/feat-199-k8s-1.25' into feat/k8s-1.25

Author: bendehaan

.github/workflows/minikube-k8s-test.yml

@@ -25,7 +25,7 @@ jobs:
         with:
           minikube-version: 1.29.0
           driver: docker
-          kubernetes-version: v1.23.12
+          kubernetes-version: v1.25.6
       - name: test script
         run: |
           eval $(minikube docker-env)

aws/README.md

@@ -190,7 +190,7 @@ The documentation below is auto-generated to give insight on what's created via
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The EKS cluster name | `string` | `"wrongsecrets-exercise-cluster"` | no |
-| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.23"` | no |
+| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The EKS cluster version to use | `string` | `"1.25"` | no |
 | <a name="input_extra_allowed_ip_ranges"></a> [extra\_allowed\_ip\_ranges](#input\_extra\_allowed\_ip\_ranges) | Allowed IP ranges in addition to creator IP | `list(string)` | `[]` | no |
 | <a name="input_region"></a> [region](#input\_region) | The AWS region to use | `string` | `"eu-west-1"` | no |
 | <a name="input_state_bucket_arn"></a> [state\_bucket\_arn](#input\_state\_bucket\_arn) | ARN of the state bucket to grant access to the s3 user | `string` | n/a | yes |

aws/build-an-deploy-aws.sh

@@ -93,6 +93,9 @@ else
   helm upgrade --install -n kube-system csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --set enableSecretRotation=true --set rotationPollInterval=60s
 fi
 
+echo "Patching default namespace"
+kubectl apply -f k8s/workspace-psa.yml
+
 echo "Install ACSP"
 kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml
 

aws/k8s/workspace-psa.yml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: default
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
+    kubernetes.io/metadata.name: default

helm/wrongsecrets-ctf-party/templates/cleanup/cron-job.yaml

@@ -20,13 +20,22 @@ spec:
             helm.sh/chart: {{ include "wrongsecrets-ctf-party.chart" . }}
         spec:
           serviceAccountName: 'wrongsecrets-cleaner'
-          {{- with .Values.wrongsecretsCleanup.securityContext }}
           securityContext:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
+            runAsUser: 1000
+            runAsGroup: 3000
+            fsGroup: 2000
           containers:
             - image: '{{ .Values.wrongsecretsCleanup.repository }}:{{ .Values.wrongsecretsCleanup.tag | default (printf "v%s" .Chart.Version) }}'
               imagePullPolicy: {{ .Values.imagePullPolicy | quote }}
+              securityContext:
+                allowPrivilegeEscalation: false
+                readOnlyRootFilesystem: true
+                runAsNonRoot: true
+                capabilities:
+                  drop:
+                    - ALL
+                seccompProfile:
+                  type: RuntimeDefault
               name: 'cleanup-job'
               env:
                 - name: NAMESPACE

helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/deployment.yaml

@@ -24,10 +24,6 @@ spec:
         runAsGroup: 3000
         fsGroup: 2000
       serviceAccountName: wrongsecrets-balancer
-      {{- with .Values.balancer.securityContext }}
-      securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: '{{ .Values.balancer.repository }}:{{ .Values.balancer.tag | default (printf "v%s" .Chart.Version) }}'
@@ -94,6 +90,12 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
             runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - CAP_NET_ADMIN
+                - CAP_NET_BIND_SERVICE
           volumeMounts:
             - name: config-volume
               mountPath: /home/app/config/

helm/wrongsecrets-ctf-party/values.yaml

@@ -34,9 +34,9 @@ balancer:
     # -- Set this to a fixed random alpa-numeric string (recommended length 24 chars). If not set this get randomly generated with every helm upgrade, each rotation invalidates all active cookies / sessions requirering users to login again.
     cookieParserSecret: null
   repository: jeroenwillemsen/wrongsecrets-balancer
-  tag: 1.7aws
+  tag: 1.8aws
   # -- Number of replicas of the wrongsecrets-balancer deployment. Changing this in a commit? PLEASE UPDATE THE GITHUB WORKLFOWS THEN!(NUMBER OF "TRUE")
-  replicas: 4
+  replicas: 2
   service:
     # -- Kubernetes service type
     type: ClusterIP
@@ -55,6 +55,18 @@ balancer:
     limits:
       memory: 1024Mi
       cpu: 1000m
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    capabilities:
+      drop:
+        - ALL
+      add:
+        - CAP_NET_ADMIN
+        - CAP_NET_BIND_SERVICE
+    seccompProfile:
+      type: RuntimeDefault
   # -- Optional Configure kubernetes scheduling affinity for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
   affinity: {}
   # -- Optional Configure kubernetes toleration for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
@@ -129,6 +141,11 @@ wrongsecrets:
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
   # -- Optional environment variables to set for each JuiceShop instance (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
   env:
     - name: K8S_ENV
@@ -196,9 +213,15 @@ virtualdesktop:
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
   runtimeClassName: {}
   affinity: {}
   # -- Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
+
   envFrom: []
   tolerations: []
 
@@ -220,7 +243,6 @@ wrongsecretsCleanup:
       memory: 256Mi
     limits:
       memory: 256Mi
-  securityContext: {}
   # -- Optional Configure kubernetes scheduling affinity for the wrongsecretsCleanup Job(see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
   affinity: {}
   # -- Optional Configure kubernetes toleration for the wrongsecretsCleanup Job (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)

wrongsecrets-balancer/src/kubernetes.js

@@ -34,6 +34,8 @@ const createNameSpaceForTeam = async (team) => {
     },
     labels: {
       name: `t-${team}`,
+      'pod-security.kubernetes.io/audit': 'restricted',
+      'pod-security.kubernetes.io/enforce': 'baseline',
     },
   };
   k8sCoreApi.createNamespace(namedNameSpace).catch((error) => {
@@ -126,11 +128,12 @@ const createK8sDeploymentForTeam = async ({ team, passcodeHash }) => {
               name: 'wrongsecrets',
               image: `jeroenwillemsen/wrongsecrets:${wrongSecretsContainterTag}`,
               imagePullPolicy: get('wrongsecrets.imagePullPolicy'),
-              // resources: get('wrongsecrets.resources'),
               securityContext: {
                 allowPrivilegeEscalation: false,
                 readOnlyRootFilesystem: true,
                 runAsNonRoot: true,
+                capabilities: { drop: ['ALL'] },
+                seccompProfile: { type: 'RuntimeDefault' },
               },
               env: [
                 {
@@ -385,6 +388,8 @@ const createAWSDeploymentForTeam = async ({ team, passcodeHash }) => {
                 allowPrivilegeEscalation: false,
                 readOnlyRootFilesystem: true,
                 runAsNonRoot: true,
+                capabilities: { drop: ['ALL'] },
+                seccompProfile: { type: 'RuntimeDefault' },
               },
               env: [
                 {
@@ -1068,6 +1073,11 @@ const createDesktopDeploymentForTeam = async ({ team, passcodeHash }) => {
         },
         spec: {
           serviceAccountName: 'webtop-sa',
+          // securityContext: {
+          //   runAsUser: 1000,
+          //   runAsGroup: 1000,
+          //   fsGroup: 1000,
+          // },
           containers: [
             {
               name: 'virtualdesktop',
@@ -1086,12 +1096,22 @@ const createDesktopDeploymentForTeam = async ({ team, passcodeHash }) => {
                   'ephemeral-storage': '8Gi',
                 },
               },
-              // resources: get('virtualdesktop.resources'),
               securityContext: {
-                // allowPrivilegeEscalation: false,
-                // readOnlyRootFilesystem: true,
+                allowPrivilegeEscalation: true, //S6 will capture any weird things
+                readOnlyRootFilesystem: false,
+                runAsNonRoot: false,
               },
-              env: [...get('virtualdesktop.env', [])],
+              env: [
+                {
+                  name: 'PUID',
+                  value: '1000',
+                },
+                {
+                  name: 'PGID',
+                  value: '1000',
+                },
+                ...get('virtualdesktop.env', []),
+              ],
               envFrom: get('virtualdesktop.envFrom'),
               ports: [
                 {
@@ -1127,7 +1147,7 @@ const createDesktopDeploymentForTeam = async ({ team, passcodeHash }) => {
             {
               emptyDir: {
                 medium: 'Memory',
-                sizeLimit: '128Mi',
+                sizeLimit: '160Mi',
               },
               name: 'config-fs',
             },