search

bank-vaults / vault-secrets-webhook

A Kubernetes mutating webhook that makes direct secret injection into Pods possible.
https://bank-vaults.dev/docs/mutating-webhook/
Apache License 2.0
44 stars 18 forks source link

[ Openshift ] Default security capabilities #328

Open andloh opened 7 months ago

andloh commented 7 months ago

Preflight Checklist

Vault Secrets Webhook Version

1.21.0

Installation Type

Official Helm chart

Bank-Vaults Version

No response

Kubernetes Version

1.25.16

Kubernetes Distribution/Provisioner

Openshift (4.12.46)

Expected Behavior

Ref #69 solved by @sagikazarmark in #149. It seems like only the UUID issue was resolved? Not the extended capabilities introduced in 1.15.2.

Actual Behavior

Not able to fetch secrets from vault due to to capabilities being added by default. 

35s         Warning   FailedCreate        replicaset/test-deployment-init-seccontext-6bf988cf8d   Error creating: pods "test-deployment-init-seccontext-6bf988cf8d-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "CHOWN": capability may not be added, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "SETFCAP": capability may not be added, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "SETGID": capability may not be added, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "SETPCAP": capability may not be added, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "SETUID": capability may not be added.

Steps To Reproduce

Try to fetch secrets from vault using vault-secrets-webhook with version < 1.15.2 on Openshift

Configuration

  1. Webhook helm chart
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: vault-secrets-webhook
  namespace: vault
spec:
  interval: 5m
  chart:
    spec:
      chart: vault-secrets-webhook
      version: 1.21.0
      sourceRef:
        kind: HelmRepository
        name: bank-vaults
        namespace: vault
  values:
    resources:
      limits:
        memory: 512Mi
    secretsFailurePolicy: Fail
    configMapMutation: false
    podsFailurePolicy: Fail
    securityContext: {}
    env:
      REGISTRY_SKIP_VERIFY: true
  1. Test manifest
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-deployment-init-seccontext
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: test-deployment-init-seccontext
  template:
    metadata:
      labels:
        app.kubernetes.io/name: test-deployment-init-seccontext
      annotations:
        vault.security.banzaicloud.io/vault-skip-verify: "true"
        vault.security.banzaicloud.io/vault-path: "kubernetes"
        vault.security.banzaicloud.io/run-as-non-root: "true"
    spec:
      containers:
        - name: hallo
          image: ubuntu:latest
          command: ["sh", "-c", "echo $AWS_SECRET_ACCESS_KEY && echo going to sleep... && sleep 10000"]
          env:
          - name: AWS_SECRET_ACCESS_KEY
            value: vault:secret/data/accounts/aws#AWS_SECRET_ACCESS_KEY
          resources:
            limits:
              memory: "128Mi"
              cpu: "100m"
ramizpolic commented 7 months ago

Thanks for reporting this @andloh, we also noticed a lot of issues coming from the OpenShift. Will address this in the upcoming releases!