Closed jawnsy closed 11 months ago
Summary
Add security hardening for SpiceDB Operator deployment. Similar to #236, but for the operator instead of the deployments that the operator creates.
Background
The operator itself does not have any securityContext settings:
https://github.com/authzed/spicedb-operator/blob/715aed2a67d4b4596373f019642fa0ac89addad8/config/operator.yaml#L31-L63
And it's running as root for some reason: https://explore.ggcr.dev/?blob=ghcr.io/authzed/spicedb-operator@sha256:48525acebb788bf6bdb4b64a8719185555210e8fc7904366ae7a281765c9ad7b&mt=application%2Fvnd.docker.container.image.v1%2Bjson&size=2519&manifest=ghcr.io/authzed/spicedb-operator@sha256:4e58cdf61d343a3ace7d0f5f94f1e97e858e6b6c7a02afcd58a6f0e8ce6e682f
I think building from distroless/base:nonroot should resolve this issue: https://github.com/authzed/spicedb-operator/blob/715aed2a67d4b4596373f019642fa0ac89addad8/Dockerfile.release#L2
distroless/base:nonroot
For the operator, I've applied the following patches via the Kustomization:
patches: - target: kind: Deployment name: spicedb-operator namespace: spicedb-operator patch: | - op: replace path: /spec/template/spec/securityContext value: runAsUser: 65532 runAsGroup: 65532 runAsNonRoot: true seccompProfile: type: RuntimeDefault - op: add path: /spec/template/spec/containers/0/securityContext value: runAsUser: 65532 runAsGroup: 65532 runAsNonRoot: true readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault allowPrivilegeEscalation: false capabilities: drop: - ALL - op: add path: /spec/template/spec/volumes value: - name: scratch emptyDir: sizeLimit: 512Mi - op: add path: /spec/template/spec/containers/0/volumeMounts value: - mountPath: /tmp name: scratch subPath: tmp
The resulting deployment looks like it runs okay:
spec: containers: image: ghcr.io/authzed/spicedb-operator:v1.8.0 name: spicedb-operator resources: {} # this should probably also be fixed securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /tmp name: scratch subPath: tmp securityContext: runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault serviceAccount: spicedb-operator serviceAccountName: spicedb-operator terminationGracePeriodSeconds: 30 volumes: - emptyDir: sizeLimit: 512Mi name: scratch
Summary
Add security hardening for SpiceDB Operator deployment. Similar to #236, but for the operator instead of the deployments that the operator creates.
Background
The operator itself does not have any securityContext settings:
https://github.com/authzed/spicedb-operator/blob/715aed2a67d4b4596373f019642fa0ac89addad8/config/operator.yaml#L31-L63
And it's running as root for some reason: https://explore.ggcr.dev/?blob=ghcr.io/authzed/spicedb-operator@sha256:48525acebb788bf6bdb4b64a8719185555210e8fc7904366ae7a281765c9ad7b&mt=application%2Fvnd.docker.container.image.v1%2Bjson&size=2519&manifest=ghcr.io/authzed/spicedb-operator@sha256:4e58cdf61d343a3ace7d0f5f94f1e97e858e6b6c7a02afcd58a6f0e8ce6e682f
I think building from
distroless/base:nonroot
should resolve this issue: https://github.com/authzed/spicedb-operator/blob/715aed2a67d4b4596373f019642fa0ac89addad8/Dockerfile.release#L2For the operator, I've applied the following patches via the Kustomization:
The resulting deployment looks like it runs okay: