Skip to content

Commit

Permalink
feat: make zarf-registry and zarf-injector pods comply with offical r…
Browse files Browse the repository at this point in the history
…estricted pod security standard (zarf-dev#3092)

Signed-off-by: miaoxiang.wang <[email protected]>
Co-authored-by: Austin Abro <[email protected]>
  • Loading branch information
2 people authored and Jneville0815 committed Dec 12, 2024
1 parent 59ce166 commit 63dd4da
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 2 deletions.
11 changes: 10 additions & 1 deletion packages/zarf-registry/chart/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,11 @@ spec:
{{- end }}
priorityClassName: system-node-critical
securityContext:
fsGroup: 1000
runAsUser: 1000
fsGroup: 2000
runAsGroup: 2000
seccompProfile:
type: "RuntimeDefault"
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
Expand All @@ -53,6 +56,12 @@ spec:
httpGet:
path: /
port: 5000
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop: ["ALL"]
resources:
{{ toYaml .Values.resources | indent 12 }}
env:
Expand Down
17 changes: 17 additions & 0 deletions src/pkg/cluster/injector.go
Original file line number Diff line number Diff line change
Expand Up @@ -319,6 +319,9 @@ func hasBlockingTaints(taints []corev1.Taint) bool {

func buildInjectionPod(nodeName, image string, payloadCmNames []string, shasum string, resReq corev1.ResourceRequirements) *corev1.Pod {
executeMode := int32(0777)
userID := int64(1000)
groupID := int64(2000)
fsGroupID := int64(2000)

pod := &corev1.Pod{
TypeMeta: metav1.TypeMeta{
Expand All @@ -337,6 +340,12 @@ func buildInjectionPod(nodeName, image string, payloadCmNames []string, shasum s
NodeName: nodeName,
// Do not try to restart the pod as it will be deleted/re-created instead.
RestartPolicy: corev1.RestartPolicyNever,
SecurityContext: &corev1.PodSecurityContext{
RunAsUser: &userID,
RunAsGroup: &groupID,
FSGroup: &fsGroupID,
SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
},
Containers: []corev1.Container{
{
Name: "injector",
Expand Down Expand Up @@ -366,6 +375,14 @@ func buildInjectionPod(nodeName, image string, payloadCmNames []string, shasum s
},
},
},
SecurityContext: &corev1.SecurityContext{
ReadOnlyRootFilesystem: helpers.BoolPtr(true),
AllowPrivilegeEscalation: helpers.BoolPtr(false),
RunAsNonRoot: helpers.BoolPtr(true),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
},
},
Resources: resReq,
},
},
Expand Down
2 changes: 1 addition & 1 deletion src/pkg/cluster/testdata/expected-injection-pod.json
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"kind":"Pod","apiVersion":"v1","metadata":{"name":"injector","namespace":"zarf","creationTimestamp":null,"labels":{"app":"zarf-injector","zarf.dev/agent":"ignore"}},"spec":{"volumes":[{"name":"init","configMap":{"name":"rust-binary","defaultMode":511}},{"name":"seed","emptyDir":{}},{"name":"foo","configMap":{"name":"foo"}},{"name":"bar","configMap":{"name":"bar"}}],"containers":[{"name":"injector","image":"docker.io/library/ubuntu:latest","command":["/zarf-init/zarf-injector","shasum"],"workingDir":"/zarf-init","resources":{"limits":{"cpu":"1","memory":"256Mi"},"requests":{"cpu":"500m","memory":"64Mi"}},"volumeMounts":[{"name":"init","mountPath":"/zarf-init/zarf-injector","subPath":"zarf-injector"},{"name":"seed","mountPath":"/zarf-seed"},{"name":"foo","mountPath":"/zarf-init/foo","subPath":"foo"},{"name":"bar","mountPath":"/zarf-init/bar","subPath":"bar"}],"readinessProbe":{"httpGet":{"path":"/v2/","port":5000},"periodSeconds":2,"successThreshold":1,"failureThreshold":10},"imagePullPolicy":"IfNotPresent"}],"restartPolicy":"Never","nodeName":"injection-node"},"status":{}}
{"kind":"Pod","apiVersion":"v1","metadata":{"name":"injector","namespace":"zarf","creationTimestamp":null,"labels":{"app":"zarf-injector","zarf.dev/agent":"ignore"}},"spec":{"volumes":[{"name":"init","configMap":{"name":"rust-binary","defaultMode":511}},{"name":"seed","emptyDir":{}},{"name":"foo","configMap":{"name":"foo"}},{"name":"bar","configMap":{"name":"bar"}}],"containers":[{"name":"injector","image":"docker.io/library/ubuntu:latest","command":["/zarf-init/zarf-injector","shasum"],"workingDir":"/zarf-init","resources":{"limits":{"cpu":"1","memory":"256Mi"},"requests":{"cpu":"500m","memory":"64Mi"}},"volumeMounts":[{"name":"init","mountPath":"/zarf-init/zarf-injector","subPath":"zarf-injector"},{"name":"seed","mountPath":"/zarf-seed"},{"name":"foo","mountPath":"/zarf-init/foo","subPath":"foo"},{"name":"bar","mountPath":"/zarf-init/bar","subPath":"bar"}],"readinessProbe":{"httpGet":{"path":"/v2/","port":5000},"periodSeconds":2,"successThreshold":1,"failureThreshold":10},"imagePullPolicy":"IfNotPresent","securityContext":{"capabilities":{"drop":["ALL"]},"runAsNonRoot":true,"readOnlyRootFilesystem":true,"allowPrivilegeEscalation":false}}],"restartPolicy":"Never","nodeName":"injection-node","securityContext":{"runAsUser":1000,"runAsGroup":2000,"fsGroup":2000,"seccompProfile":{"type":"RuntimeDefault"}}},"status":{}}

0 comments on commit 63dd4da

Please sign in to comment.