search

opensearch-project / opensearch-k8s-operator

OpenSearch Kubernetes Operator
Apache License 2.0
387 stars 202 forks source link

[BUG] Missing securityContext attributes on container kube-rbac-proxy #745

Closed mgrzybek closed 2 months ago

mgrzybek commented 7 months ago

What is the bug?

The manifest of the operator does not implement some security features requires by secured Kubernetes deployments:

How can one reproduce the bug?

# Create the manifest using helm
helm template opensearch-operator opensearch-operator/opensearch-operator > opensearch-operator.yaml
# Apply the manifest
kubectl apply -f opensearch-operator.yaml

What is the expected behavior?

The securityContext attributes should be declared.

What is your host/environment?

Talos Linux: v1.6.1 Kubernetes: v1.29.0

Do you have any screenshots?

helm template opensearch-operator opensearch-operator/opensearch-operator > opensearch-operator.yaml
kubectl apply -f opensearch-operator.yaml
serviceaccount/opensearch-operator-controller-manager created
configmap/opensearch-operator-manager-config created
customresourcedefinition.apiextensions.k8s.io/opensearchactiongroups.opensearch.opster.io created
customresourcedefinition.apiextensions.k8s.io/opensearchclusters.opensearch.opster.io created
customresourcedefinition.apiextensions.k8s.io/opensearchcomponenttemplates.opensearch.opster.io created
customresourcedefinition.apiextensions.k8s.io/opensearchindextemplates.opensearch.opster.io created
customresourcedefinition.apiextensions.k8s.io/opensearchismpolicies.opensearch.opster.io created
customresourcedefinition.apiextensions.k8s.io/opensearchroles.opensearch.opster.io created
customresourcedefinition.apiextensions.k8s.io/opensearchtenants.opensearch.opster.io created
customresourcedefinition.apiextensions.k8s.io/opensearchuserrolebindings.opensearch.opster.io created
customresourcedefinition.apiextensions.k8s.io/opensearchusers.opensearch.opster.io created
clusterrole.rbac.authorization.k8s.io/opensearch-operator-default-manager-role created
clusterrole.rbac.authorization.k8s.io/opensearch-operator-default-metrics-reader created
clusterrole.rbac.authorization.k8s.io/opensearch-operator-default-proxy-role created
clusterrolebinding.rbac.authorization.k8s.io/opensearch-operator-default-manager-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/opensearch-operator-default-proxy-rolebinding created
role.rbac.authorization.k8s.io/opensearch-operator-leader-election-role created
rolebinding.rbac.authorization.k8s.io/opensearch-operator-leader-election-rolebinding created
service/opensearch-operator-controller-manager-metrics-service created
Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "kube-rbac-proxy" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "kube-rbac-proxy", "operator-controller-manager" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or containers "kube-rbac-proxy", "operator-controller-manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
deployment.apps/opensearch-operator-controller-manager created

Do you have any additional context?

N.A.

prudhvigodithi commented 6 months ago

[Triage] Thanks @mgrzybek for pointing this, can you please contribute addressing this issue and limiting the permissions as required? Adding @bbarani @salyh @jochenkressin @pchmielnik @swoehrl-mw

mgrzybek commented 6 months ago

Hi,

I can have a look. It seems that the work has been started but is still unfinished. https://github.com/opensearch-project/opensearch-k8s-operator/blob/307a9f99ee0fade799d5f05e2217763516515c38/charts/opensearch-operator/values.yaml#L74

Looks like something like this should work:

securityContext:
  allowPrivilegeEscalation: false
  seccompProfile:
    type: RuntimeDefault # Or localhost?
  capabilities:
    drop:
    - all