init container securityContext hardening

[lahabana]

Description

Here's the init-containers for a Pod:

  initContainers:
  - args:
    - --redirect-outbound-port
    - "15001"
    - --redirect-inbound=true
    - --redirect-inbound-port
    - "15006"
    - --redirect-inbound-port-v6
    - "15010"
    - --kuma-dp-uid
    - "5678"
    - --exclude-inbound-ports
    - ""
    - --exclude-outbound-ports
    - ""
    - --verbose
    - --redirect-all-dns-traffic
    - --redirect-dns-port
    - "15053"
    command:
    - /usr/bin/kumactl
    - install
    - transparent-proxy
    image: docker.io/kong/kuma-init:0.0.0-preview.vf0ebdfa65
    imagePullPolicy: IfNotPresent
    name: kuma-init
    resources:
      limits:
        cpu: 100m
        memory: 50M
      requests:
        cpu: 20m
        memory: 20M
    securityContext:
      capabilities:
        add:
        - NET_ADMIN
        - NET_RAW
      runAsGroup: 0
      runAsUser: 0
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-bgpfv
      readOnly: true

Few things to notice:

• securityContext doesn't have readOnlyRootFS.
• To have readOnlyRootFS we'll likely need /tmp as an emptyDir
• If we use emptyDir we'll need to have a size and add request/limits on it
• securityContext adds capabilities but we should use drop: all to start and add back selective capabilities we need.

We're doing similar work for the sidecar container so checking it might help in defining the right config.

[jakubdyszkiewicz]

xref https://github.com/kumahq/kuma/issues/6714