search

authzed / spicedb-operator

Kubernetes controller for managing instances of SpiceDB
Apache License 2.0
62 stars 26 forks source link

Default security context settings for SpiceDB Operator #237

Closed jawnsy closed 11 months ago

jawnsy commented 11 months ago

Summary

Add security hardening for SpiceDB Operator deployment. Similar to #236, but for the operator instead of the deployments that the operator creates.

Background

The operator itself does not have any securityContext settings:

https://github.com/authzed/spicedb-operator/blob/715aed2a67d4b4596373f019642fa0ac89addad8/config/operator.yaml#L31-L63

And it's running as root for some reason: https://explore.ggcr.dev/?blob=ghcr.io/authzed/spicedb-operator@sha256:48525acebb788bf6bdb4b64a8719185555210e8fc7904366ae7a281765c9ad7b&mt=application%2Fvnd.docker.container.image.v1%2Bjson&size=2519&manifest=ghcr.io/authzed/spicedb-operator@sha256:4e58cdf61d343a3ace7d0f5f94f1e97e858e6b6c7a02afcd58a6f0e8ce6e682f

I think building from distroless/base:nonroot should resolve this issue: https://github.com/authzed/spicedb-operator/blob/715aed2a67d4b4596373f019642fa0ac89addad8/Dockerfile.release#L2

For the operator, I've applied the following patches via the Kustomization:

  patches:
    - target:
        kind: Deployment
        name: spicedb-operator
        namespace: spicedb-operator
      patch: |
        - op: replace
          path: /spec/template/spec/securityContext
          value:
            runAsUser: 65532
            runAsGroup: 65532
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
        - op: add
          path: /spec/template/spec/containers/0/securityContext
          value:
            runAsUser: 65532
            runAsGroup: 65532
            runAsNonRoot: true
            readOnlyRootFilesystem: true
            seccompProfile:
              type: RuntimeDefault
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
        - op: add
          path: /spec/template/spec/volumes
          value:
            - name: scratch
              emptyDir:
                sizeLimit: 512Mi
        - op: add
          path: /spec/template/spec/containers/0/volumeMounts
          value:
            - mountPath: /tmp
              name: scratch
              subPath: tmp

The resulting deployment looks like it runs okay:

    spec:
      containers:
          image: ghcr.io/authzed/spicedb-operator:v1.8.0
          name: spicedb-operator
          resources: {} # this should probably also be fixed
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: true
            runAsGroup: 65532
            runAsNonRoot: true
            runAsUser: 65532
            seccompProfile:
              type: RuntimeDefault
          volumeMounts:
            - mountPath: /tmp
              name: scratch
              subPath: tmp
      securityContext:
        runAsGroup: 65532
        runAsNonRoot: true
        runAsUser: 65532
        seccompProfile:
          type: RuntimeDefault
      serviceAccount: spicedb-operator
      serviceAccountName: spicedb-operator
      terminationGracePeriodSeconds: 30
      volumes:
        - emptyDir:
            sizeLimit: 512Mi
          name: scratch