search

ministryofjustice / data-catalogue

Data catalogue • This repository is defined and managed in Terraform
MIT License
3 stars 0 forks source link

Implement recommended PodSecurity settings for DataHub deployment #27

Closed tom-webber closed 5 months ago

tom-webber commented 7 months ago

Deployments to cloud platform are currently violating pod security recommendations. We should evaluate the values.yaml file and make the recommended alterations to improve security hardening.

warnings.go:70] 
would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "datahub-frontend" must set securityContext.allowPrivilegeEscalation=false),
 unrestricted capabilities (container "elasticsearch-setup-job" must set securityContext.capabilities.drop=["ALL"]),
 runAsNonRoot != true (pod or container "elasticsearch-setup-job" must set securityContext.runAsNonRoot=true),
 seccompProfile (pod or container "elasticsearch-setup-job" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Definition of done:

MatMoore commented 5 months ago

Some more warnings -

coalesce.go:289: warning: destination for datahub.global.sql.datasource.username is a table. Ignoring non-table value (root)
coalesce.go:289: warning: destination for datahub.datahub-gms.global.sql.datasource.username is a table. Ignoring non-table value (datahub)
coalesce.go:289: warning: destination for datahub.datahub-mce-consumer.global.sql.datasource.username is a table. Ignoring non-table value (datahub)
coalesce.go:289: warning: destination for datahub.global.sql.datasource.username is a table. Ignoring non-table value (root)
coalesce.go:289: warning: destination for datahub.sql.datasource.username is a table. Ignoring non-table value (root)
coalesce.go:289: warning: destination for datahub.datahub-gms.global.sql.datasource.username is a table. Ignoring non-table value (datahub)
coalesce.go:289: warning: destination for datahub.sql.datasource.username is a table. Ignoring non-table value (root)
coalesce.go:289: warning: destination for datahub.sql.datasource.username is a table. Ignoring non-table value (root)

These are due to using secretRefs in our values

      username:
        secretRef: rds-postgresql-instance-output
        secretKey: database_username
      password:
        secretRef: rds-postgresql-instance-output
        secretKey: database_password

I'm not sure if there is a way to fix this, but should be safe to ignore, as it's using the values we specify and ignoring the default values.