Giters

stakater / Reloader

A Kubernetes controller to watch changes in ConfigMap and Secrets and do rolling upgrades on Pods with their associated Deployment, StatefulSet, DaemonSet and DeploymentConfig – [✩Star] if you're using it!

Home Page:https://docs.stakater.com/reloader/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Helm: securityContext / containerSecurityContext not fully propagated ?

udf2457 opened this issue · comments

commented

Given the following custom values.yaml:

reloader:
  reloadStrategy: annotations
  readOnlyRootFileSystem: true
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containerSecurityContext:
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop: [ALL]

I would expect Reloader to install without issue in a Restricted PSS environment (https://kubernetes.io/docs/concepts/security/pod-security-standards/).

However, instead, running helm install stakater-reloader -f path/to/my/stakater-reloader/values.yaml stakater/reloader

I am greeted with:

W0319 12:17:55.847256 5976 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "stakater-reloader-reloader" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "stakater-reloader-reloader" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "stakater-reloader-reloader" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

This therefore implies that the securityContext and containerSecurityContext are not fully propagated in the Helm chart ?

Unfortunatley I'm stll a bit of a Helm noob and so don't have the skills to troubelshoot and provide a PR but hopefully it should be a fairly simple fix ?

commented

@faizanahmad055 tested it on Minikube and OpenShift but was not able to reproduce it

commented

@karl-johan-grahn Was your environment setup to enforce ?

My environment is k3s, with security setup as per the docs (https://docs.k3s.io/security/hardening-guide), in particular the PSA:

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1beta1
    kind: PodSecurityConfiguration
    defaults:
      enforce: "restricted"
      enforce-version: "latest"
      audit: "restricted"
      audit-version: "latest"
      warn: "restricted"
      warn-version: "latest"
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces: [kube-system, cis-operator-system]
commented

@udf2457 We would like to reproduce it, can you provide template with values file that you use?

commented

You are missing the deployment-key for your values, it should be:

reloader:
  reloadStrategy: annotations
  readOnlyRootFileSystem: true
  deployment: # << currently missing
    securityContext:
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault
    containerSecurityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop: [ALL]
commented

Is this working for below setting ?

capabilities: drop: [ALL]

What are the capabilities that are needed to run this image ?

commented

I had the same issue i raised an MR with the fix #540

commented

I had the same issue i raised an MR with the fix #540

There is no need to add default-settings for containerSecurityContext, just use the correct keys within your values..

Is this working for below setting ?

capabilities: drop: [ALL]

Yes, this is templated properly