From bbcc270c5dba04bd7ffe87faae5885b6abd7b5aa Mon Sep 17 00:00:00 2001 From: Stavros kois Date: Fri, 6 Jan 2023 14:05:01 +0200 Subject: [PATCH] set cap for <=1024 port number automagically --- .../securityContext_test.yaml | 50 +++++++++++++++++++ ...itional_containers_in_deployment_test.yaml | 39 +++++++++++++++ ...containers_in_deployment_install_test.yaml | 39 +++++++++++++++ ...containers_in_deployment_upgrade_test.yaml | 39 +++++++++++++++ ...install_containers_in_deployment_test.yaml | 39 +++++++++++++++ ...upgrade_containers_in_deployment_test.yaml | 39 +++++++++++++++ .../templates/lib/container/_security.tpl | 29 +++++++++++ .../lib/container/_securityContext.tpl | 9 +++- .../templates/lib/pod/_extraContainers.tpl | 1 + 9 files changed, 282 insertions(+), 2 deletions(-) diff --git a/library/common-test/tests/container_in_deployment/securityContext_test.yaml b/library/common-test/tests/container_in_deployment/securityContext_test.yaml index d67af65729..27bb7e7966 100644 --- a/library/common-test/tests/container_in_deployment/securityContext_test.yaml +++ b/library/common-test/tests/container_in_deployment/securityContext_test.yaml @@ -333,3 +333,53 @@ tests: add: [] drop: - ALL + + - it: should pass with container port <=1024 defined + documentIndex: *deploymentDoc + set: + service: + main: + ports: + main: + port: 5000 + targetPort: 1024 + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext + value: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 568 + runAsGroup: 568 + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + + - it: should pass with container port <=1024 defined + documentIndex: *deploymentDoc + set: + service: + main: + ports: + main: + port: 5000 + targetPort: 80 + asserts: + - equal: + path: spec.template.spec.containers[0].securityContext + value: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 568 + runAsGroup: 568 + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL diff --git a/library/common-test/tests/initcontainers_in_deployment/additional_containers_in_deployment_test.yaml b/library/common-test/tests/initcontainers_in_deployment/additional_containers_in_deployment_test.yaml index e8d9dfa8e7..ee0fa71b68 100644 --- a/library/common-test/tests/initcontainers_in_deployment/additional_containers_in_deployment_test.yaml +++ b/library/common-test/tests/initcontainers_in_deployment/additional_containers_in_deployment_test.yaml @@ -587,6 +587,45 @@ tests: runAsNonRoot: true runAsUser: 568 + - it: should pass with port <=1024 defined in additional container + documentIndex: *deploymentDoc + set: + additionalContainers: + some_container: + ports: + - name: http + containerPort: 80 + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - isSubset: + path: spec.template.spec.containers[1] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - it: should pass with deviceList defined in additionalContainer documentIndex: *deploymentDoc set: diff --git a/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_install_test.yaml b/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_install_test.yaml index f9fc5daa62..f6fcec7bde 100644 --- a/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_install_test.yaml +++ b/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_install_test.yaml @@ -632,6 +632,45 @@ tests: runAsNonRoot: true runAsUser: 568 + - it: should pass with port <=1024 defined in init container + documentIndex: *deploymentDoc + set: + initContainers: + some_container: + ports: + - name: http + containerPort: 80 + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - it: should pass with securityContext default documentIndex: *deploymentDoc set: diff --git a/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_upgrade_test.yaml b/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_upgrade_test.yaml index cb45e15062..c39cf068bd 100644 --- a/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_upgrade_test.yaml +++ b/library/common-test/tests/initcontainers_in_deployment/init_containers_in_deployment_upgrade_test.yaml @@ -635,6 +635,45 @@ tests: runAsNonRoot: true runAsUser: 568 + - it: should pass with port <=1024 defined in init container + documentIndex: *deploymentDoc + set: + initContainers: + some_container: + ports: + - name: http + containerPort: 80 + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - it: should pass with securityContext default documentIndex: *deploymentDoc set: diff --git a/library/common-test/tests/initcontainers_in_deployment/install_containers_in_deployment_test.yaml b/library/common-test/tests/initcontainers_in_deployment/install_containers_in_deployment_test.yaml index 6edf5facb6..a187da56d4 100644 --- a/library/common-test/tests/initcontainers_in_deployment/install_containers_in_deployment_test.yaml +++ b/library/common-test/tests/initcontainers_in_deployment/install_containers_in_deployment_test.yaml @@ -646,6 +646,45 @@ tests: runAsNonRoot: true runAsUser: 568 + - it: should pass with port <=1024 defined in install container + documentIndex: *deploymentDoc + set: + installContainers: + some_container: + ports: + - name: http + containerPort: 80 + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - it: should pass with securityContext default documentIndex: *deploymentDoc set: diff --git a/library/common-test/tests/initcontainers_in_deployment/upgrade_containers_in_deployment_test.yaml b/library/common-test/tests/initcontainers_in_deployment/upgrade_containers_in_deployment_test.yaml index f76265e32c..d1d490b867 100644 --- a/library/common-test/tests/initcontainers_in_deployment/upgrade_containers_in_deployment_test.yaml +++ b/library/common-test/tests/initcontainers_in_deployment/upgrade_containers_in_deployment_test.yaml @@ -648,6 +648,45 @@ tests: runAsNonRoot: true runAsUser: 568 + - it: should pass with port <=1024 defined in upgrade container + documentIndex: *deploymentDoc + set: + upgradeContainers: + some_container: + ports: + - name: http + containerPort: 80 + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - isSubset: + path: spec.template.spec.initContainers[0] + content: + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 568 + runAsNonRoot: true + runAsUser: 568 + - it: should pass with securityContext default documentIndex: *deploymentDoc set: diff --git a/library/common/1.0.0/templates/lib/container/_security.tpl b/library/common/1.0.0/templates/lib/container/_security.tpl index 39d331acf4..16e9aa20a2 100644 --- a/library/common/1.0.0/templates/lib/container/_security.tpl +++ b/library/common/1.0.0/templates/lib/container/_security.tpl @@ -10,6 +10,7 @@ The reason is not splitted, is that on one of the places needs a combo of all va {{- $root := .root -}} {{- $secCont := .secCont -}} {{- $deviceList := .deviceList -}} + {{- $ports := .ports -}} {{- $isMainContainer := .isMainContainer -}} {{/* Initialiaze Values */}} @@ -29,6 +30,34 @@ The reason is not splitted, is that on one of the places needs a combo of all va {{/* Overwrite from values that user/dev passed on this container */}} {{- $returnValue = mustMergeOverwrite $returnValue $secCont -}} + {{- $isPrivilegedPort := false -}} + + {{- if $isMainContainer -}} + {{- range $svcName, $svc := $root.Values.service -}} + {{- if $svc.enabled -}} + {{- range $portName, $port := $svc.ports -}} + {{- if $port.enabled -}} {{/* We failback to port if no targetPort is given */}} + {{- $portNumber := ($port.targetPort | default $port.port) -}} + {{- if le (int $portNumber) 1024 -}} + {{- $isPrivilegedPort = true -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- else -}} + {{- range $port := $ports -}} + {{- if le (int $port.containerPort) 1024 -}} + {{- $isPrivilegedPort = true -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{/* If at least on port is the specific container uses a port <=1024, add the NET_BIND_SERVICE capability */}} + {{- if $isPrivilegedPort -}} + {{- $_ := set $returnValue.capabilities "add" (mustAppend $returnValue.capabilities.add "NET_BIND_SERVICE") -}} + {{- end -}} + {{/* Devices need privileged container */}} {{- if $deviceList -}} {{- $_ := set $returnValue "privileged" true -}} diff --git a/library/common/1.0.0/templates/lib/container/_securityContext.tpl b/library/common/1.0.0/templates/lib/container/_securityContext.tpl index cf4b4200b7..9e9f668095 100644 --- a/library/common/1.0.0/templates/lib/container/_securityContext.tpl +++ b/library/common/1.0.0/templates/lib/container/_securityContext.tpl @@ -4,10 +4,15 @@ {{- $isMainContainer := .isMainContainer -}} {{- $deviceList := .deviceList -}} {{- $scaleGPU := .scaleGPU -}} + {{- $ports := .ports -}} {{- $root := .root -}} {{/* Calculate all security values */}} - {{- $security := (include "ix.v1.common.lib.securityContext" (dict "root" $root "secCont" $secCont "deviceList" $deviceList "isMainContainer" $isMainContainer) | fromJson) -}} + {{- $security := (include "ix.v1.common.lib.securityContext" (dict "root" $root + "secCont" $secCont + "deviceList" $deviceList + "isMainContainer" $isMainContainer + "ports" $ports) | fromJson) -}} {{/* Only run as root if it's explicitly defined */}} {{- if or (eq (int $security.runAsUser) 0) (eq (int $security.runAsGroup) 0) -}} @@ -21,7 +26,7 @@ runAsGroup: {{ $security.runAsGroup }} readOnlyRootFilesystem: {{ $security.readOnlyRootFilesystem }} allowPrivilegeEscalation: {{ $security.allowPrivilegeEscalation }} privileged: {{ $security.privileged }} -capabilities: {{/* TODO: add NET_BIND_SERVICE when port < 80 is used? */}} +capabilities: {{- with $security.capabilities.add }} add: {{- range . }} diff --git a/library/common/1.0.0/templates/lib/pod/_extraContainers.tpl b/library/common/1.0.0/templates/lib/pod/_extraContainers.tpl index 137d8e20e6..a360665dd1 100644 --- a/library/common/1.0.0/templates/lib/pod/_extraContainers.tpl +++ b/library/common/1.0.0/templates/lib/pod/_extraContainers.tpl @@ -74,6 +74,7 @@ {{- end -}} {{- with (include "ix.v1.common.container.securityContext" (dict "secCont" $container.securityContext "isMainContainer" false + "ports" $container.ports "deviceList" $container.deviceList "scaleGPU" $container.scaleGPU "root" $root)) | trim }}