feat: drop all capabilities

Following kubesec's best practices we are now explicitly dropping all capabilities in the snyk-monitor.
This should positively affect the secure config displayed in Snyk UI.

Author: ivanstanev

snyk-monitor-deployment.yaml

@@ -57,7 +57,10 @@ spec:
           limits:
             cpu: '1'
             memory: '2Gi'
-      securityContext: {}
+        securityContext:
+          capabilities:
+            drop:
+              - ALL
       volumes:
       - name: docker-config
         secret:

snyk-monitor/templates/deployment.yaml

@@ -51,6 +51,10 @@ spec:
             limits:
               cpu: '1'
               memory: '2Gi'
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
       volumes:
         - name: docker-config
           secret:

test/helpers/deployment.ts

@@ -0,0 +1,37 @@
+import * as tap from 'tap';
+import { V1Deployment } from '@kubernetes/client-node';
+
+export function validateSecureConfiguration(test: tap, deployment: V1Deployment) {
+  if (
+    !deployment.spec ||
+    !deployment.spec.template.spec ||
+    !deployment.spec.template.spec.containers ||
+    deployment.spec.template.spec.containers.length === 0 ||
+    !deployment.spec.template.spec.containers[0].securityContext
+  ) {
+    test.fail('bad container spec or missing securityContext');
+    return;
+  }
+
+  const securityContext =
+    deployment.spec.template.spec.containers[0].securityContext;
+
+  if (!securityContext.capabilities) {
+    test.fail('missing capabilities section in pod securityContext');
+    return;
+  }
+
+  test.same(
+    securityContext.capabilities.drop,
+    ['ALL'],
+    'all capabilities are dropped',
+  );
+
+  if (securityContext.capabilities.add) {
+    test.false(
+      securityContext.capabilities.add.includes('SYS_ADMIN'),
+      'CAP_SYS_ADMIN not added',
+    );
+  }
+}
+

test/integration/kubernetes.test.ts

@@ -1,4 +1,4 @@
-import { CoreV1Api, KubeConfig } from '@kubernetes/client-node';
+import { CoreV1Api, KubeConfig, AppsV1Api } from '@kubernetes/client-node';
 import setup = require('../setup');
 import * as tap from 'tap';
 import { getKindConfigPath } from '../helpers/kind';
@@ -9,6 +9,7 @@ import {
   validateHomebaseStoredMetadata,
   getHomebaseResponseBody,
 } from '../helpers/homebase';
+import { validateSecureConfiguration } from '../helpers/deployment';
 
 let integrationId: string;
 
@@ -162,3 +163,19 @@ tap.test(`snyk-monitor has resource limits`, async (t) => {
   t.ok(monitorResources.requests.cpu !== undefined, 'snyk-monitor has cpu resource request');
   t.ok(monitorResources.requests.memory !== undefined, 'snyk-monitor has memory resource request');
 });
+
+tap.test('snyk-monitor secure configuration is as expected', async (t) => {
+  const kindConfigPath = await getKindConfigPath();
+  const kubeConfig = new KubeConfig();
+  kubeConfig.loadFromFile(kindConfigPath);
+
+  const k8sApi = kubeConfig.makeApiClient(AppsV1Api);
+
+  const response = await k8sApi.readNamespacedDeployment(
+    'snyk-monitor',
+    'snyk-monitor',
+  );
+  const deployment = response.body;
+
+  validateSecureConfiguration(t, deployment);
+});

test/unit/deployment-files.test.ts

@@ -0,0 +1,23 @@
+import * as tap from 'tap';
+import { parse } from 'yaml';
+import { readFileSync } from 'fs';
+import { V1Deployment } from '@kubernetes/client-node';
+import * as snykConfig from '../../src/common/config';
+import { validateSecureConfiguration } from '../helpers/deployment';
+
+/**
+ * Note that these checks are also performed at runtime on the deployed snyk-monitor, see the integration tests.
+ */
+
+tap.test('ensure the security properties of the deployment files are unchanged', async (t) => {
+  t.same(snykConfig.IMAGE_STORAGE_ROOT, '/var/tmp', 'the snyk-monitor points to the correct mounted path');
+
+  const deploymentFiles = ['./snyk-monitor/templates/deployment.yaml', './snyk-monitor-deployment.yaml'];
+
+  for (const filePath of deploymentFiles) {
+    const fileContent = readFileSync(filePath, 'utf8');
+    const deployment: V1Deployment = parse(fileContent);
+
+    validateSecureConfiguration(t, deployment);
+  }
+});