[Feature] Improve security context on fluent-bit container from the flux deployments - Gitops Extension

carvido1 commented 1 year ago

Is your feature request related to a problem? Please describe. We are trying to enable the gitops extension in a regulated environment, but due to some policies and security constrains we have the OOB gitops extension in failure state.

As workaround, when we enable the extension we need to patch both deployments (fluxconfig-agent and fluxconfig-controller). The patch workaround makes the extension hard to automate and maintain. We don't know if it will be upgraded with an AKS upgrade, making the patch disappear and getting an extension failure.

Describe the solution you'd like A better securityContext like the following patch:

kind: Deployment
apiVersion: apps/v1
metadata: 
  name: fluxconfig-agent
  namespace: flux-system
spec:
  template:
    spec:
      containers:
      - name: fluent-bit
        securityContext:
          allowPrivilegedEscalation: false
          capabilities:
            drop:
              - ALL
          readOnlyFilesystem: true
          runAsNonRoot: true
          runAsGroup: 65532
          runAsUser: 65532
---
kind: Deployment
apiVersion: apps/v1
metadata: 
  name: fluxconfig-controller
  namespace: flux-system
spec:
  template:
    spec:
      containers:
      - name: fluent-bit
        securityContext:
          allowPrivilegedEscalation: false
          capabilities:
            drop:
              - ALL
          readOnlyFilesystem: true
          runAsNonRoot: true
          runAsGroup: 65532
          runAsUser: 65532

Describe alternatives you've considered Our alternatives are to create an exception on the policies we have. This would make sense if we couldn't improve the security best practices on the fluent-bit container.

Additional context We have checked the fluent-bit container and we found the nobody user with id 65532. We have tested it and the container seems to be working with that user id.