search

fluxcd / flux2

Open and extensible continuous delivery solution for Kubernetes. Powered by GitOps Toolkit.
https://fluxcd.io
Apache License 2.0
6.39k stars 594 forks source link

[Enhancement] Implement explicit security contexts for pods and containers #1500

Closed Cellebyte closed 3 years ago

Cellebyte commented 3 years ago

Examples containerSecurity which could be implemented.

Should that be a standard implementation in the release manifests from fluxctl?

...
      containers:
      - name: <name>
        securityContext:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          capabilities:
            drop:
              - ALL
...

Examples podSecurity

...
 securityContext:
    runAsUser: <uid>
    fsGroup: <gid>
...

Currently is uses the standard allow everything policy which is not great and also breaks the securityPolicies of our cluster. The best way would be to have it upstream to ensure that it is correctly implemented. We can patch it on our own but if greater changes happen to how flux gets deployed it will brick.

Originally posted by @Cellebyte in https://github.com/fluxcd/flux2/discussions/1483

stefanprodan commented 3 years ago

Hardcoding a uid for runAsUser is not an option for us, as this will block Flux on OpenShift and other distributions that are allocating a UID range. Kyverno should be installed by Flux so I see no issues here, you can exclude the flux-system namespace from Kyverno policies or follow the PsP guide here: https://fluxcd.io/docs/installation/#pod-security-policy

Cellebyte commented 3 years ago

@stefanprodan so it will not be patched into the plane manifests but should be patched by ourselves. Thanks for the clarification.