search

valeriano-manassero / helm-charts

Popular applications, provided by Valeriano Manassero, ready to launch on Kubernetes using Kubernetes Helm.
Apache License 2.0
50 stars 46 forks source link

[trino] Supporting more variables for securityContext for pod and container level. #189

Closed hafizmujadidKhalid closed 1 year ago

hafizmujadidKhalid commented 1 year ago

Is your feature request related to a problem ?

Hey folks!

I am trying to deploy Trino using your provided helm chart but since our EKS cluster has some validations set it fails to deploy. The failing validations are like running with non_root_user and dropping all capabilities etc.

Describe the solution you'd like.

To fix it, I have to add following security context for container:

securityContext:
        allowPrivilegeEscalation: false
        capabilities:
            drop:
               - ALL
        runAsUser: 1000

and following for the pod:

     securityContext:
          runAsNonRoot: true
          seccompProfile:
              type: RuntimeDefault

I want to support general securityContext settings inside values.yaml file and they should be reflected in relevant deployments. I would have created a PR but due to my limited knowledge of helm templating, I could not produce well-indented yaml.

Describe alternatives you've considered.

None, Our security team have these security & validation check in place and they are not willing to relax. I have to deploy rending template and modifying actual yaml files.

Additional context.

No response

valeriano-manassero commented 1 year ago

Can you pls test related chart in PR?

I'd like to understand if these defaults are ok for your use case.

hafizmujadidKhalid commented 1 year ago

Hey @valeriano-manassero !

Thanks for the quick solution, I think the number of errors is reduced now and the validations are failing only on init containers:

disallow-capabilities-strict:
  autogen-require-drop-all: 'validation failure: Containers must drop `ALL` capabilities.'
disallow-privilege-escalation:
  autogen-privilege-escalation: 'validation error: Privilege escalation is disallowed.
    The fields spec.containers[*].securityContext.allowPrivilegeEscalation, spec.initContainers[*].securityContext.allowPrivilegeEscalation,
    and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation must
    be set to `false`. rule autogen-privilege-escalation failed at path /spec/template/spec/containers/0/securityContext/'
validate-seccomp-location:
github-actions[bot] commented 1 year ago

This issue is stale because it has been open for 14 days with no activity.

valeriano-manassero commented 1 year ago

@hafizmujadidKhalid securitiContext should be set for all init containers afaik; can you pls list what are init containers with this problem and their generated yaml manifest?

hafizmujadidKhalid commented 1 year ago

@valeriano-manassero! I think containerSecurityContext is missing in Coordinator container: https://github.com/valeriano-manassero/helm-charts/blob/425c0d103e93c02eddcf3070386cdabda73c725a/valeriano-manassero/trino/templates/deployment-coordinator.yaml#L186