search

projectsyn / component-keycloak

Commodore Component for Keycloak
BSD 3-Clause "New" or "Revised" License
3 stars 0 forks source link

Hardening to PSA restricted #181

Open megian opened 1 year ago

megian commented 1 year ago

Context

With the more growing ability to harden deployments with Pod Security Standards and Pod Security Admission, Keycloak as a security component should use all the capabilities to prevent security flaws.

parameters:
  keycloak:
    namespaceLabels:
      pod-security.kubernetes.io/audit: restricted
      pod-security.kubernetes.io/enforce: restricted
      pod-security.kubernetes.io/warn: restricted

Keycloak and Bitnami Postgres currently do work in a fully restricted mode. However k8up doing to Bitnami Postgres backup, is currently not able to set the container securityContext. See k8up-io/k8up#584.

Currently the baseline mode does work:

parameters:
  keycloak:
    namespaceLabels:
      pod-security.kubernetes.io/audit: baseline
      pod-security.kubernetes.io/enforce: baseline
      pod-security.kubernetes.io/warn: restricted

Alternatives

megian commented 1 year ago 
Warning: existing pods in namespace "test" violate the new PodSecurity enforce level "restricted:latest"
Warning: backup-backup-backup-djm28-jjwxn (and 9 other pods): allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
megian commented 5 months ago

k8up does not support updating the PodSecurity in the container configuration.