TL;DR this will set NoNewPrivileges to 1 on the containers, which defends against privilege escalation.
Using RuntimeDefault for the seccompProfile means the container runtime's default profile will be used for seccomp, which should restrict the container to a reasonable set of syscalls.
I've removed everything except for the ability to bind to ports below 1024 (CAP_NET_BIND_SERVICE)
The remaining warnings are not security related. They are caused by us using secretKeyRef which created maps in our YAML.
coalesce.go:289: warning: destination for datahub.global.sql.datasource.username is a table. Ignoring non-table value (root)
coalesce.go:289: warning: destination for datahub.datahub-gms.global.sql.datasource.username is a table. Ignoring non-table value (datahub)
coalesce.go:289: warning: destination for datahub.datahub-mce-consumer.global.sql.datasource.username is a table. Ignoring non-table value (datahub)
coalesce.go:289: warning: destination for datahub.global.sql.datasource.username is a table. Ignoring non-table value (root)
coalesce.go:289: warning: destination for datahub.sql.datasource.username is a table. Ignoring non-table value (root)
coalesce.go:289: warning: destination for datahub.datahub-gms.global.sql.datasource.username is a table. Ignoring non-table value (datahub)
coalesce.go:289: warning: destination for datahub.sql.datasource.username is a table. Ignoring non-table value (root)
coalesce.go:289: warning: destination for datahub.sql.datasource.username is a table. Ignoring non-table value (root)
Set
allowPrivilegeEscalation
seccompProfile
runAsNonRoot
capabilities
in line with kubernetes pod security standards.This gets rid of most of the warnings whenever we deploy the helm chart. (https://github.com/ministryofjustice/data-catalogue/issues/27)
allowPrivilegeEscalation
is documented (poorly) at https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#securitycontext-v1-core and clarified in this article https://medium.com/pareture/how-allowprivilegeescalation-works-in-kubernetes-ce696494f87bTL;DR this will set NoNewPrivileges to 1 on the containers, which defends against privilege escalation.
Using
RuntimeDefault
for the seccompProfile means the container runtime's default profile will be used for seccomp, which should restrict the container to a reasonable set of syscalls.For the most part we were already using
runAsUser
so we are not relying on running as root. The only one I needed to change waselasticsearchSetupJob
- this now matches the values here https://github.com/acryldata/datahub-helm/blob/2b1d1ab0ca869926829068cc4caff14d90f8f807/charts/datahub/values.yaml#L142-L143For capabilities, the policy requires that we drop everything and add only what we need. See https://man7.org/linux/man-pages/man7/capabilities.7.html
I've removed everything except for the ability to bind to ports below 1024 (CAP_NET_BIND_SERVICE)
The remaining warnings are not security related. They are caused by us using
secretKeyRef
which created maps in our YAML.