Drop CAP_SYS_ADMIN through mutating webhook and add a default seccomp profile

XenitAB / gatekeeper-library

Collection of OPA Gatekeeper policies that can be used in your Kubernetes cluster.

MIT License

14 stars 7 forks source link

Drop CAP_SYS_ADMIN through mutating webhook and add a default seccomp profile #64

Closed NissesSenap closed 2 years ago

NissesSenap commented 2 years ago

Not only drop NET_RAW but also CAP_SYS_ADMIN. Also add a default config for seccompProfile depending if something else is defined.

Solves: https://github.com/XenitAB/gatekeeper-library/issues/62 and https://github.com/XenitAB/gatekeeper-library/issues/63

It seems to come changes on the CRD version even if: https://github.com/XenitAB/gatekeeper-library/pull/61 was merged. Maybe everything wasn't fixed upstream.

NissesSenap commented 2 years ago

So I have verified that the pathTests config works as intended.

Creating the below pod will use the defined seccompProfile of Unconfined. But if i don't define anything it will set

  securityContext:
    seccompProfile:
      type: RuntimeDefault

apiVersion: v1
kind: Pod
metadata:
  name: debug2
  namespace: lab
spec:
  securityContext:
    seccompProfile:
      type: Unconfined
  containers:
    - command:
        - /bin/sh
      resources:
        requests:
          memory: "16Mi"
          cpu: "10m"
        limits:
          memory: "64Mi"
          cpu: "100m"
      image: alpine:latest
      name: container-00
      tty: true

NissesSenap commented 2 years ago

Trying to find exactly what RuntimeDefault includes. I found it for docker: https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the-default-profile I reached out in the kubernetes security slack and lets see if I get some reply there.

NissesSenap commented 2 years ago

Got a reply on my question in slack.

AFAIK runtime/default seccomp profile is defined by the CRI (so Docker, ContainerD, CRI-O). I've not seen a comparison of the available CRIs to know if there are any differences or if they all use the same list.

This is probably the one used in containerd. https://github.com/containerd/containerd/blob/main/contrib/seccomp/seccomp_default.go

NissesSenap commented 2 years ago

Migrate all 3 changes in to seperate PR:s https://github.com/XenitAB/gatekeeper-library/pull/66 update upstream https://github.com/XenitAB/gatekeeper-library/pull/67 remove CAP_SYS_ADMIN https://github.com/XenitAB/gatekeeper-library/pull/68 add seccomp