From 7103c7032d0896837ef63a5bff7ef06319b5069a Mon Sep 17 00:00:00 2001 From: olalekan odukoya Date: Thu, 2 May 2024 14:20:12 +0100 Subject: [PATCH] TT-12054: add security context to init containers --- .../templates/bootstrap-post-install.yaml | 4 +++ .../templates/bootstrap-pre-delete.yaml | 4 +++ .../templates/bootstrap-pre-install.yaml | 6 +++- components/tyk-bootstrap/values.yaml | 19 +++++++++-- .../templates/deployment-dashboard.yaml | 4 +++ components/tyk-dashboard/values.yaml | 5 ++- components/tyk-dev-portal/values.yaml | 5 ++- .../templates/deployment-gw-repset.yaml | 4 +++ components/tyk-gateway/values.yaml | 5 ++- components/tyk-mdcb/values.yaml | 12 ++++--- components/tyk-pump/values.yaml | 5 ++- tyk-control-plane/values.yaml | 32 ++++++++++++++----- tyk-data-plane/values.yaml | 10 ++++-- tyk-oss/values.yaml | 10 ++++-- tyk-stack/values.yaml | 20 +++++++++--- 15 files changed, 117 insertions(+), 28 deletions(-) diff --git a/components/tyk-bootstrap/templates/bootstrap-post-install.yaml b/components/tyk-bootstrap/templates/bootstrap-post-install.yaml index dfb832b6..d203f673 100644 --- a/components/tyk-bootstrap/templates/bootstrap-post-install.yaml +++ b/components/tyk-bootstrap/templates/bootstrap-post-install.yaml @@ -36,6 +36,10 @@ spec: image: {{ .Values.bootstrap.jobs.postInstall.image.repository }}:{{ .Values.bootstrap.jobs.postInstall.image.tag }} command: [ './app/bin/bootstrap-app-post' ] imagePullPolicy: IfNotPresent + {{- if .Values.bootstrap.containerSecurityContext }} + securityContext: + {{- toYaml .Values.bootstrap.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: TYK_K8SBOOTSTRAP_TYK_ADMIN_FIRSTNAME {{ if .Values.global.adminUser.useSecretName }} diff --git a/components/tyk-bootstrap/templates/bootstrap-pre-delete.yaml b/components/tyk-bootstrap/templates/bootstrap-pre-delete.yaml index 12d3c314..e34c23c4 100644 --- a/components/tyk-bootstrap/templates/bootstrap-pre-delete.yaml +++ b/components/tyk-bootstrap/templates/bootstrap-pre-delete.yaml @@ -39,6 +39,10 @@ spec: image: {{ .Values.bootstrap.jobs.preDelete.image.repository }}:{{ .Values.bootstrap.jobs.preDelete.image.tag }} command: [ './app/bin/bootstrap-app-pre-delete' ] imagePullPolicy: IfNotPresent + {{- if .Values.bootstrap.containerSecurityContext }} + securityContext: + {{- toYaml .Values.bootstrap.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: TYK_K8SBOOTSTRAP_OPERATORKUBERNETESSECRETNAME value: {{ .Values.bootstrap.operatorSecret }} diff --git a/components/tyk-bootstrap/templates/bootstrap-pre-install.yaml b/components/tyk-bootstrap/templates/bootstrap-pre-install.yaml index 7e9661d8..68e76543 100644 --- a/components/tyk-bootstrap/templates/bootstrap-pre-install.yaml +++ b/components/tyk-bootstrap/templates/bootstrap-pre-install.yaml @@ -27,7 +27,7 @@ spec: labels: {{- with .Values.bootstrap.podLabels.preInstallPodLabels }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} spec: serviceAccountName: {{ default "k8s-bootstrap-role" .Values.bootstrap.serviceAccountName | quote }} containers: @@ -35,6 +35,10 @@ spec: image: {{ .Values.bootstrap.jobs.preInstall.image.repository }}:{{ .Values.bootstrap.jobs.preInstall.image.tag }} command: ['/app/bin/bootstrap-app-pre-install'] imagePullPolicy: IfNotPresent + {{- if .Values.bootstrap.containerSecurityContext }} + securityContext: + {{- toYaml .Values.bootstrap.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: TYK_K8SBOOTSTRAP_TYK_DASHBOARDLICENSE {{ if .Values.global.secrets.useSecretName }} diff --git a/components/tyk-bootstrap/values.yaml b/components/tyk-bootstrap/values.yaml index 8fafb3aa..3d715c44 100644 --- a/components/tyk-bootstrap/values.yaml +++ b/components/tyk-bootstrap/values.yaml @@ -81,7 +81,7 @@ bootstrap: # repository specifies image repository of pre-install job. repository: tykio/tyk-k8s-bootstrap-pre-install # tag specifies image tag of pre-install job. - tag: v2.1.0 + tag: v2.1.1 # extraEnvs is used to set extra environment variables to pre-install job. # - name: TYK_K8SBOOTSTRAP_TYK_DASHBOARDLICENSE @@ -95,7 +95,7 @@ bootstrap: # repository specifies image repository of post-install job. repository: tykio/tyk-k8s-bootstrap-post # tag specifies image tag of post-install job. - tag: v2.1.0 + tag: v2.1.1 # extraEnvs is used to set extra environment variables to post-install job. # - name: TYK_K8SBOOTSTRAP_TYK_ADMIN_FIRSTNAME @@ -109,7 +109,7 @@ bootstrap: # repository specifies image repository of pre-delete job. repository: tykio/tyk-k8s-bootstrap-pre-delete # tag specifies image tag of pre-delete job. - tag: v2.1.0 + tag: v2.1.1 # extraEnvs is used to set extra environment variables to pre-delete job. # - name: TYK_K8SBOOTSTRAP_OPERATORKUBERNETESSECRETNAME @@ -154,3 +154,16 @@ bootstrap: postInstallPodLabels: {} # preDeletePodLabels specifies labels to be added to Tyk Bootstrap pre-delete hook's job pods. preDeletePodLabels: {} + + # containerSecurityContext values for bootstrap containers + containerSecurityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL diff --git a/components/tyk-dashboard/templates/deployment-dashboard.yaml b/components/tyk-dashboard/templates/deployment-dashboard.yaml index a179fc59..5430ba69 100644 --- a/components/tyk-dashboard/templates/deployment-dashboard.yaml +++ b/components/tyk-dashboard/templates/deployment-dashboard.yaml @@ -60,6 +60,10 @@ spec: - name: init-analytics-conf image: busybox:1.32 args: ["sh", "-c", 'touch /etc/tyk-dashboard/tyk_analytics.conf && echo "{}" > /etc/tyk-dashboard/tyk_analytics.conf'] + {{- if .Values.dashboard.containerSecurityContext }} + securityContext: + {{- toYaml .Values.dashboard.containerSecurityContext | nindent 12 }} + {{- end }} volumeMounts: - mountPath: /etc/tyk-dashboard name: analytics-conf diff --git a/components/tyk-dashboard/values.yaml b/components/tyk-dashboard/values.yaml index 68658ce9..665d38e0 100644 --- a/components/tyk-dashboard/values.yaml +++ b/components/tyk-dashboard/values.yaml @@ -334,12 +334,15 @@ dashboard: # containerSecurityContext holds container-level security attributes for Tyk Dashboard container. All fields from SecurityContext object can be added here. containerSecurityContext: runAsNonRoot: true + runAsUser: 1000 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - - all + - ALL # nodeSelector is a selector which must be true for Tyk Dashboard pod to fit on a specific node. nodeSelector: {} diff --git a/components/tyk-dev-portal/values.yaml b/components/tyk-dev-portal/values.yaml index e3324001..2bd1bd2e 100644 --- a/components/tyk-dev-portal/values.yaml +++ b/components/tyk-dev-portal/values.yaml @@ -195,12 +195,15 @@ securityContext: # containerSecurityContext holds container-level security attributes for Tyk Developer Portal pod. All fields from SecurityContext object can be added here. containerSecurityContext: runAsNonRoot: true + runAsUser: 1000 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - - all + - ALL # nodeSelector is a selector which must be true for Tyk Developer Portal pod to fit on a specific node. nodeSelector: {} diff --git a/components/tyk-gateway/templates/deployment-gw-repset.yaml b/components/tyk-gateway/templates/deployment-gw-repset.yaml index 0963f207..5785f684 100644 --- a/components/tyk-gateway/templates/deployment-gw-repset.yaml +++ b/components/tyk-gateway/templates/deployment-gw-repset.yaml @@ -73,6 +73,10 @@ spec: image: "{{ .Values.gateway.initContainers.setupDirectories.repository }}:{{ .Values.gateway.initContainers.setupDirectories.tag }}" command: ['sh','-c','mkdir -p apps middleware policies && touch policies/policies.json'] workingDir: /mnt/tyk-gateway + {{- if .Values.gateway.containerSecurityContext }} + securityContext: + {{- toYaml .Values.gateway.containerSecurityContext | nindent 12 }} + {{- end }} volumeMounts: - name: tyk-scratch mountPath: /mnt/tyk-gateway diff --git a/components/tyk-gateway/values.yaml b/components/tyk-gateway/values.yaml index ea8b2c9b..71ceb6d4 100644 --- a/components/tyk-gateway/values.yaml +++ b/components/tyk-gateway/values.yaml @@ -372,12 +372,15 @@ gateway: # containerSecurityContext values for gateway container. All fields from SecurityContext object can be added here. containerSecurityContext: runAsNonRoot: true + runAsUser: 1000 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - - all + - ALL # node labels for gateway pod assignment nodeSelector: {} diff --git a/components/tyk-mdcb/values.yaml b/components/tyk-mdcb/values.yaml index 014ea05f..6a545519 100644 --- a/components/tyk-mdcb/values.yaml +++ b/components/tyk-mdcb/values.yaml @@ -252,12 +252,16 @@ mdcb: # containerSecurityContext holds container-level security attributes for Tyk MDCB container. All fields from SecurityContext object can be added here. containerSecurityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 1000 + # allowPrivilegeEscalation: false + # privileged: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault + # capabilities: + # drop: + # - ALL service: # type corresponds to the service type of Tyk MDCB Service. diff --git a/components/tyk-pump/values.yaml b/components/tyk-pump/values.yaml index 353fbe11..57d905c5 100644 --- a/components/tyk-pump/values.yaml +++ b/components/tyk-pump/values.yaml @@ -316,12 +316,15 @@ pump: # containerSecurityContext values for pump container. All fields from SecurityContext object can be added here. containerSecurityContext: runAsNonRoot: true + runAsUser: 1000 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - - all + - ALL # node labels for pump pod assignment nodeSelector: {} diff --git a/tyk-control-plane/values.yaml b/tyk-control-plane/values.yaml index cff80383..4ef5a1fc 100644 --- a/tyk-control-plane/values.yaml +++ b/tyk-control-plane/values.yaml @@ -415,12 +415,15 @@ tyk-gateway: # containerSecurityContext values for gateway container. All fields from SecurityContext object can be added here. containerSecurityContext: runAsNonRoot: true + runAsUser: 1000 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - - all + - ALL # node labels for gateway pod assignment nodeSelector: {} @@ -674,12 +677,15 @@ tyk-pump: # containerSecurityContext values for pump container. All fields from SecurityContext object can be added here. containerSecurityContext: runAsNonRoot: true + runAsUser: 1000 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - - all + - ALL # node labels for pump pod assignment nodeSelector: {} @@ -967,12 +973,15 @@ tyk-dashboard: # containerSecurityContext holds container-level security attributes for Tyk Dashboard container. All fields from SecurityContext object can be added here. containerSecurityContext: runAsNonRoot: true + runAsUser: 1000 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - - all + - ALL # nodeSelector is a selector which must be true for Tyk Dashboard pod to fit on a specific node. nodeSelector: {} @@ -1170,12 +1179,16 @@ tyk-mdcb: # containerSecurityContext holds container-level security attributes for Tyk MDCB container. All fields from SecurityContext object can be added here. containerSecurityContext: {} + # runAsNonRoot: true + # runAsUser: 1000 + # allowPrivilegeEscalation: false + # privileged: false + # readOnlyRootFilesystem: true + # seccompProfile: + # type: RuntimeDefault # capabilities: # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 + # - ALL service: # type corresponds to the service type of Tyk MDCB Service. @@ -1397,12 +1410,15 @@ tyk-dev-portal: # containerSecurityContext holds container-level security attributes for Tyk Developer Portal pod. All fields from SecurityContext object can be added here. containerSecurityContext: runAsNonRoot: true + runAsUser: 1000 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - - all + - ALL # nodeSelector is a selector which must be true for Tyk Developer Portal pod to fit on a specific node. nodeSelector: {} # tolerations specifies tolerations to be applied on Tyk Developer Portal pods. diff --git a/tyk-data-plane/values.yaml b/tyk-data-plane/values.yaml index afb2ef06..162f5056 100644 --- a/tyk-data-plane/values.yaml +++ b/tyk-data-plane/values.yaml @@ -362,12 +362,15 @@ tyk-gateway: # containerSecurityContext values for gateway container. All fields from SecurityContext object can be added here. containerSecurityContext: runAsNonRoot: true + runAsUser: 1000 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - - all + - ALL # node labels for gateway pod assignment nodeSelector: {} @@ -627,12 +630,15 @@ tyk-pump: # containerSecurityContext values for pump container. All fields from SecurityContext object can be added here. containerSecurityContext: runAsNonRoot: true + runAsUser: 1000 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - - all + - ALL # node labels for pump pod assignment nodeSelector: {} diff --git a/tyk-oss/values.yaml b/tyk-oss/values.yaml index f4097ff4..df3d93a9 100644 --- a/tyk-oss/values.yaml +++ b/tyk-oss/values.yaml @@ -332,12 +332,15 @@ tyk-gateway: # containerSecurityContext values for gateway container. All fields from SecurityContext object can be added here. containerSecurityContext: runAsNonRoot: true + runAsUser: 1000 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - - all + - ALL # node labels for gateway pod assignment nodeSelector: {} @@ -576,12 +579,15 @@ tyk-pump: # containerSecurityContext values for pump container. All fields from SecurityContext object can be added here. containerSecurityContext: runAsNonRoot: true + runAsUser: 1000 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - - all + - ALL # node labels for pump pod assignment nodeSelector: {} diff --git a/tyk-stack/values.yaml b/tyk-stack/values.yaml index 7074fc4c..4ecdf461 100644 --- a/tyk-stack/values.yaml +++ b/tyk-stack/values.yaml @@ -424,12 +424,15 @@ tyk-gateway: # containerSecurityContext values for gateway container. All fields from SecurityContext object can be added here. containerSecurityContext: runAsNonRoot: true + runAsUser: 1000 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - - all + - ALL # node labels for gateway pod assignment nodeSelector: {} @@ -665,12 +668,15 @@ tyk-pump: # containerSecurityContext values for pump container. All fields from SecurityContext object can be added here. containerSecurityContext: runAsNonRoot: true + runAsUser: 1000 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - - all + - ALL # node labels for pump pod assignment nodeSelector: {} @@ -951,12 +957,15 @@ tyk-dashboard: # containerSecurityContext holds container-level security attributes for Tyk Dashboard container. All fields from SecurityContext object can be added here. containerSecurityContext: runAsNonRoot: true + runAsUser: 1000 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - - all + - ALL # nodeSelector is a selector which must be true for Tyk Dashboard pod to fit on a specific node. nodeSelector: {} @@ -1158,12 +1167,15 @@ tyk-dev-portal: # containerSecurityContext holds container-level security attributes for Tyk Developer Portal pod. All fields from SecurityContext object can be added here. containerSecurityContext: runAsNonRoot: true + runAsUser: 1000 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault capabilities: drop: - - all + - ALL # nodeSelector is a selector which must be true for Tyk Developer Portal pod to fit on a specific node. nodeSelector: {} # tolerations specifies tolerations to be applied on Tyk Developer Portal pods.