Teleport Helm charts should meet the Restricted Pod Security Standard

[wadells]

What would you like Teleport to do?

I would like Teleport helm charts to meet the "Restricted" kubernetes Pod Security Standards, such that if pod-security.kubernetes.io/enforce: restricted was set on a cluster, the charts would successfully install.

What problem does this solve?

This provides a range of kubernetes hardening best practices introduced in 1.28.

If a workaround exists, please include it.

Set the admission policy to audit instead of enforce: pod-security.kubernetes.io/audit: restricted.

[wadells]

Copying over some comments from a separate thread:

@hugoShaka mentioned:

The workload deployed by both charts only passes the standard PSS level (IIRC teleport-kube-agent almost passes restricted). I think we are compatible with the restricted PSS (at least for the agent) but the charts are not setting the right security settings by default (no root + blocking priv escalation + seccomp/apparmor profiles).

My only concern regarding the PSS level is how a potential user change might affect file permissions. But if we face this issue, we can live with an init container that changes file permissions for 1 major version.

@tigrato responded:

Regarding the PSS, I believe it would be helpful but maintaining it will be difficult. It's trivial to miss the user change which will break all upgrades executed by teleport-updater :cry: For those users, it's also not trivial how to inform them - you need to install X because we forgot something and we need to use an init container to convert file permissions

[hugoShaka]

This provides a range of kubernetes hardening best practices introduced in 1.28.

I'll add a few details to avoid confusion:

• PSS (Pod Security Standards) has been here since 1.24 but it's not a feature per-se, only a guideline
• PSA (Pod Security Admission) has been GA since 1.24 and is actually used by customers to enforce PSS at the namespace level. Some of our guides are telling users to set the PSA annotation on the teleport namespace to restrict privileged executions.
• VAP (Validating Admission Policies) is the new 1.28 feature that allows webhookless custom validation policies. I have not seen VAP syntax or standard rules to enforce PSS like the PSA is doing.

Currently we do not support running out of the box in namespaces with the PSA enforcing the restricted level. You can try in any cluster 1.24+ to set the annotation and deploy the chart. The chart will not be able to deploy pods.

[kopiczko]

Hello I just applied pod-security.kubernetes.io/warn=restricted label to my teleport namespace and:

$ helm rollback -n teleport teleport-cluster 2
W1117 10:33:56.670837   13356 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "teleport", "operator" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "teleport", "operator" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "teleport", "operator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "teleport", "operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W1117 10:33:56.779238   13356 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "wait-auth-update", "teleport" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "wait-auth-update", "teleport" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "wait-auth-update", "teleport" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "wait-auth-update", "teleport" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Rollback was a success! Happy Helming!

Doesn't look like a lot to me. But it would be nice to have a test making sure the chart is complaint.

I don't know how (if at all) the helm chart for teleport is tested but I see this repository is using GH actions and it is fairly easy to spin up a kind, setup a labelled namespace and install a chart there.

[jm-bertheas-datailor]

Unable to install teleport-agent v14+ in rke2 cluster (k8s v1.29) with Pod Security Standard enabled (profile: cis), using default helm chart values.

Encountered error in helm install job: would violate PodSecurity "restricted:latest": unrestricted capabilities (container "teleport" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "teleport" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

To fix the problem you must : 1- change capabilities.drop: ["all"] in initSecurityContext and securityContext default values to capabilities.drop: ["ALL"] in capital letters. 2- add seccompProfile.type: "RuntimeDefault" in initSecurityContext and securityContext

Then default values must cointains something like that:

# Security context to add to the initContainer
initSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 9807
  seccompProfile:
    type: RuntimeDefault

# Security context to add to other containers
securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 9807
  seccompProfile:
    type: RuntimeDefault

[hugoShaka]

Ah, I missed the Teleport v15 train for this change. I don't think changing the defaults will disrupt many people, but I'd rather be cautious and ship this in a major release (IIRC the RuntimeDefault profile is incompatible with old Kubernetes versions).

I will change the agent defaults to the one you pasted in the master branch. This will be the new default in Teleport 16.

Thank you for reporting your values.

[jm-bertheas-datailor]

you're welcome :)

[hugoShaka]

Starting with Teleport 16, the teleport-kube-agent chart will be compliant with the restricted PSS by default.