Open jawnsy opened 11 months ago
In case this is useful for anyone else, this can be applied using patches as follows:
---
apiVersion: authzed.com/v1alpha1
kind: SpiceDBCluster
metadata:
name: spicedb
spec:
channel: stable
config:
datastoreEngine: postgres
logLevel: info
replicas: 3
serviceAccountName: spicedb
patches:
- kind: Deployment
patch:
op: replace
path: /spec/template/spec/securityContext
value:
runAsUser: 65532
runAsGroup: 65532
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
- kind: Deployment
patch:
op: add
path: /spec/template/spec/containers/0/securityContext
value:
runAsUser: 65532
runAsGroup: 65532
runAsNonRoot: true
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
secretName: spicedb
Summary
Add default pod and container security context settings.
Background
At the moment, the operator creates a deployment without any security context settings, so will use the cluster defaults. SpiceDB is relatively low risk because it's not an external-facing service, but it would still be helpful to add some more restrictive defaults, because some clusters have admission controllers that enforce more restrictive policies (tools like Kyverno, OPA Gatekeeper, or OpenShift)
The deployment currently looks like this in our cluster (some irrelevant data removed to highlight the
securityContext
):Adding some default pod and container security context settings would be useful:
Workaround
Users can apply this manually using patches, but it's preferable to have hardened defaults, especially because the SpiceDB maintainers have a better sense of the constraints that would work for you.