search

upbound / universal-crossplane

Enterprise-grade @crossplane from @upbound
https://upbound.io/product/universal-crossplane
Apache License 2.0
117 stars 31 forks source link

Pod Security Issue #448

Closed devops-inthe-east closed 3 months ago

devops-inthe-east commented 4 months ago

What happened?

We have universal-crossplane deployed on our EKS 1.27 with chart version 1.9.1-up.2. They components that we use,

universal-crossplane : tag: v1.9.1-up.2 xgql: tag: v0.1.5 agent: tag: v1.9.1-up.2 bootstrapper: tag: v1.9.1-up.2

As we testing for chart compatible on this new cluster.

We run into this issue from Pod Security perspective

violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "xgql" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "xgql" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "xgql" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "xgql" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

We have made the below modification to our values file 

universal-crossplane:
 image:
   repository: 023951383515.d.ecr.eu-central-1.amazonaws.com/cloudification/upbound/crossplane
   tag: v1.9.1-up.2
   pullPolicy: IfNotPresent
 securityContext:  # Repositioned securityContext block
   allowPrivilegeEscalation: false
   capabilities:
     drop:
       - ["ALL"]
   privileged: false
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 65532             
   seccompProfile:
     type: RuntimeDefault
 xgql:
   image:
     repository: 023951383515.dkr.ecr.eu-central-1.amazonaws.com/cloudification/upbound/xgql
     tag: v0.15
     pullPolicy: IfNotPresent
   securityContext:  # Repositioned securityContext block
     allowPrivilegeEscalation: false
     capabilities:
       drop:
         - ["ALL"]
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
     runAsUser: 65532
     runAsGroup: 65532
     seccompProfile:
       type: RuntimeDefault
 agent:
   image:
     repository: 023951383515.dkr.ecr.eu-central-1.amazonaws.com/cloudification/upbound/upbound-agent
     tag: v1.9.1-up.2
     pullPolicy: IfNotPresent
   securityContext:  # Repositioned securityContext block
     allowPrivilegeEscalation: false
     capabilities:
       drop:
         - ["ALL"]
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
     runAsUser: 65532
     runAsGroup: 65532
     seccompProfile:
       type: RuntimeDefault
 bootstrapper:
   image:
     repository: 023951383515.dkr.ecr.eu-central-1.amazonaws.com/cloudification/upbound/uxp-bootstrapper
     tag: v1.9.1-up.2
     pullPolicy: IfNotPresent
   securityContext:  # Repositioned securityContext block
     allowPrivilegeEscalation: false
     capabilities:
       drop:
         - ["ALL"]
     privileged: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
     runAsUser: 65532
     runAsGroup: 65532
     seccompProfile:
       type: RuntimeDefault
 securityContextCrossplane:
   allowPrivilegeEscalation: false
   capabilities:
     drop:
       - ALL
   privileged: false
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 65532
   runAsGroup: 65532
   seccompProfile:
     type: RuntimeDefault
 securityContextRBACManager:
   allowPrivilegeEscalation: false
   capabilities:
     drop:
       - ALL
   privileged: false
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 65532
   runAsGroup: 65532
   seccompProfile:
     type: RuntimeDefault

Chart.yaml

apiVersion: v1
name: universal-crossplane-proxy
type: application
version: 1.9.0-up.1.rc.1.8.gdcbb1fd
description: Universal Crossplane is an open source Kubernetes add-on that enables platform teams to assemble infrastructure from multiple vendors, and expose higher level self-service APIs for application teams to consume.
dependencies:
-   name: universal-crossplane
    version: 1.9.0-up.1.rc.1.8.gdcbb1fd
    repository: https://github.vodafone.com/raw/VFDE-ModGarage/VF-DE-HelmChart-Repository/master

How can we reproduce it?

Deploy a 1.9.0-up.1.rc.1.8.gdcbb1fd chart on EKS 1.27 Cluster.

What environment did it happen in?

UXP version:

cant validate

* Cloud provider or hardware configuration : AWS
* Kubernetes version :: 1.27
* Kubernetes distribution EKS 
* OS Amazon Linux 
* Kernel 4.14.336-257.562.amzn2.x86_64 #1 SMP Sat Feb 24 09:50:35 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
phisco commented 4 months ago

That's a really old release, xgql is not installed anymore as part of uxp

phisco commented 3 months ago

Closing for now, feel free to reopen an issue for a more recent release if this still applies.