search

pegasystems / pega-helm-charts

Orchestrate a Pega Platform™ deployment by using Docker, Kubernetes, and Helm to take advantage of Pega Platform Cloud Choice flexibility.
https://community.pega.com/knowledgebase/articles/cloud-choice
Apache License 2.0
122 stars 194 forks source link

Need the possibility to set a securityContext for both pod and container for all deployments (pega, srs, clustering-service, etc.) #761

Open rbogendoerfer opened 1 month ago

rbogendoerfer commented 1 month ago

Is your feature request related to a problem? Please describe. Many clients require that the security settings for Kubernetes deployments are very strict. One example is setting the Pod Security Admission to restricted:

apiVersion: v1
kind: Namespace
metadata:
  name: pega
  labels:
    kubernetes.io/metadata.name: pega
    pod-security.kubernetes.io/enforce: restricted

Running the default deployment with those settings will result in an error message and prevent the deployment from starting:

W0527 15:11:19.454889  105539 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "srs-service" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "srs-service" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "srs-service" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "srs-service" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Describe the solution you'd like For all deployments (pega tiers, srs, pega-hazelcast/clustering-service, Constellation appstatic and messaging, etc.) it should be possible to specify a securityContext for the pod (this is already in place for many deployments) and for the container!

Example:

    - name: "web"
      ...
      securityContext:
        runAsUser: 9001
        fsGroup: 0

      containerSecurityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - ALL
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault

Describe alternatives you've considered The only alternative that I can think of is downloading the helm charts and modifying the deployment templates.

kishorv10 commented 1 month ago

Hi, @rbogendoerfer #750 delivers most of the required functionality. Kindly check the latest helm charts & let us know if you have further questions.

rbogendoerfer commented 1 month ago

Hi @kishorv10 , #750 only provides the possibility to set the securityContext at the pod level, but not at the container level. Certain security restrictions (e.g. capabilities.drop "ALL") must be set at the container level. Hence the option to set the securityContext for containers is required.