Helm charts:: Security Contexts#6125
Conversation
moritzkiefer-da
left a comment
There was a problem hiding this comment.
The change itself looks fairly reasonable. But there is a very large number of configuration flags on security contexts and security contexts on various levels. They did mention this explicitly but their message sounds fairly ambigous and they may just have used this an example. Can we check with them what they expect?
|
I think there are two parts here:
For 1. we need some research; did we do that somewhere? For 2. I'm not sure if this PR goes in the right direction. Why not just allow overriding the |
There was a problem hiding this comment.
Can we use something other than docs? We know the docs are going away soon
I agree with your point. We can let one override What I would do is; define |
I wouldn't try to enforce this in the schema. Trying to figure out all the various options that may be safe is a lost cause and some options may be safe in some usecase but not others. Just set the ones that are always valid by default and let people overwrite with whatever they want. |
|
Totally agree with @moritzkiefer-da ; for the defaults it's IMO fine enough if we ensure validity via our cluster testing. For everything else - up to the users to pick the right strings. If they want to override this it's reasonable to assume they have some idea what they are doing. |
|
@martinflorian-da @moritzkiefer-da I will allow overriding the containerSecurityContext field, so users can put whatever they want. We will set a few defaults that won't break our deployments. Full list of securitycontext: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.36/#securitycontext-v1-core Defaults
Testing I will update the tests to verify both the default state (no overrides) and the arbitrary overrides. Just extending my current 2 test per chart strcuture. To define these default securitycontext, we can either put them in |
|
any reason not to set something like and maybe switch to explicit capabilities whitelists? it seems like
I think I prefer values-templates. Then you also get automatic merging with user-supplied values. Note that there is also both a pod and a container security context. I think we want to set both. |
|
@moritzkiefer-da @martinflorian-da I made the changes for The remaining work is to just duplicate this across all helm charts, and I will do it next. |
moritzkiefer-da
left a comment
There was a problem hiding this comment.
thx, it looks good in configurability, the big question ofc is if it really works so definitely make sure to test this
8572f64 to
0ac0cb3
Compare
[ci] Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
[ci] Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
[ci] Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
| @@ -28,8 +28,20 @@ spec: | |||
| {{- include "splice-util-lib.default-labels" (set . "app" .Release.Name) | nindent 8 }} | |||
| spec: | |||
| {{- include "splice-util-lib.service-account" .Values | nindent 6 }} | |||
There was a problem hiding this comment.
I didn't check this chart in scratch ; i have not provided default values for this chart.
There was a problem hiding this comment.
I wonder if we should just remove that chart for now... (offtopic)
| @@ -26,8 +26,20 @@ spec: | |||
| {{- include "splice-util-lib.default-labels" (set . "app" .Release.Name) | nindent 8 }} | |||
| spec: | |||
There was a problem hiding this comment.
I did not test this chart in scratch; and i did not set default context
There was a problem hiding this comment.
Fair enough as we don't run this on MainNet, but at some point we should IMO harden that one too as it runs on DevNet. Let's add some TODO?
| @@ -26,8 +26,20 @@ spec: | |||
| {{- include "splice-util-lib.default-labels" (set . "app" .Release.Name) | nindent 8 }} | |||
| spec: | |||
There was a problem hiding this comment.
this chart is not tested in scratch; and i have not set default context
There was a problem hiding this comment.
Same as for load tester; let's maybe add a TODO to document that we do think it would be nice to harden these as well.
| @@ -26,8 +26,20 @@ spec: | |||
| {{- include "splice-util-lib.default-labels" (set . "app" "splitwell-app") | nindent 8 }} | |||
| spec: | |||
| {{- include "splice-util-lib.service-account" .Values | nindent 6 }} | |||
There was a problem hiding this comment.
i did not check this chart in scratch; i did not set default values
There was a problem hiding this comment.
That one I don't fully get though; deploying splitwell is not that big of a deal?
There was a problem hiding this comment.
Happy to also add a TODO here, mainly curious why you decided to skip it.
| @@ -23,8 +23,20 @@ spec: | |||
| {{- include "splice-util-lib.default-labels" (set . "app" "splitwell-web-ui") | nindent 8 }} | |||
| spec: | |||
There was a problem hiding this comment.
i have not checked this chart in scratch; i have not set default values
There was a problem hiding this comment.
same comment as for the other splitwell component
|
This PR is ready to be reviewed now. The approach i used
|
moritzkiefer-da
left a comment
There was a problem hiding this comment.
Thanks! The changes lgtm, I do think @martinflorian-da's concerns on duplication are valid so let's try to factor out the base profile that's restricted. It seems like putting a placeholder in there and resolving it in the translation from values-template.yaml -> values.yaml is probably the easiest option.
I would also suggest to not get this into this week's release but instead merge directly after the release so we get maximum testing time in case there is some fallout.
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
martinflorian-da
left a comment
There was a problem hiding this comment.
Thanks for pushing this forward guys!
I'm going to continue being annoying sadly: Even with deduplicating the security context boilerplate itself I'm still not super excited about the maintainability of this change...
- the tests are very duplicate and boilerplate-y
- we need to remember to add the right thing on new charts we add
I guess these concerns are largely consistent with the state of the rest of our Helm. But I think that at some point we need to look into more sophisticated scanning / static checks to better guard against regressions and "forgot to add context to new thing we added".
@pasindutennage-da Did you happen to look into such tools already by any chance? So things like trivy, kyverno...
(TBC I'm thinking we should create a follow-up issue with the context we currently have; not that we should significantly change this PR.)
| @@ -28,8 +28,20 @@ spec: | |||
| {{- include "splice-util-lib.default-labels" (set . "app" .Release.Name) | nindent 8 }} | |||
| spec: | |||
| {{- include "splice-util-lib.service-account" .Values | nindent 6 }} | |||
There was a problem hiding this comment.
I wonder if we should just remove that chart for now... (offtopic)
| @@ -26,8 +26,20 @@ spec: | |||
| {{- include "splice-util-lib.default-labels" (set . "app" .Release.Name) | nindent 8 }} | |||
| spec: | |||
There was a problem hiding this comment.
Fair enough as we don't run this on MainNet, but at some point we should IMO harden that one too as it runs on DevNet. Let's add some TODO?
| @@ -26,8 +26,20 @@ spec: | |||
| {{- include "splice-util-lib.default-labels" (set . "app" .Release.Name) | nindent 8 }} | |||
| spec: | |||
There was a problem hiding this comment.
Same as for load tester; let's maybe add a TODO to document that we do think it would be nice to harden these as well.
| @@ -26,8 +26,20 @@ spec: | |||
| {{- include "splice-util-lib.default-labels" (set . "app" "splitwell-app") | nindent 8 }} | |||
| spec: | |||
| {{- include "splice-util-lib.service-account" .Values | nindent 6 }} | |||
There was a problem hiding this comment.
That one I don't fully get though; deploying splitwell is not that big of a deal?
| @@ -26,8 +26,20 @@ spec: | |||
| {{- include "splice-util-lib.default-labels" (set . "app" "splitwell-app") | nindent 8 }} | |||
| spec: | |||
| {{- include "splice-util-lib.service-account" .Values | nindent 6 }} | |||
There was a problem hiding this comment.
Happy to also add a TODO here, mainly curious why you decided to skip it.
| @@ -23,8 +23,20 @@ spec: | |||
| {{- include "splice-util-lib.default-labels" (set . "app" "splitwell-web-ui") | nindent 8 }} | |||
| spec: | |||
There was a problem hiding this comment.
same comment as for the other splitwell component
|
|
||
| - Helm | ||
|
|
||
| - Added security contexts for Helm based deployments. |
There was a problem hiding this comment.
| - Added security contexts for Helm based deployments. | |
| - Added security contexts for all Helm-based deployments intended for production. |
...or some better wording that avoids suggesting that we fixed all of them (we didn't). Also happy with a list (of charts we fixed or of the ones that remain unfixed).
|
|
||
| ui_security_context: | ||
| # runAsUser, runAsGroup, and runAsNonRoot are intentionally omitted | ||
| # to prevent entrypoint initialization script crashes (Exit Code 126) |
There was a problem hiding this comment.
That reads like "we got some error that we didn't understand and fixed it by reducing the security level"... can you give more context about the issue? Making it a TODO (pointing to a real issue on one of our security milestones) is also fine to me.
| - Helm | ||
|
|
||
| - Added security contexts for Helm based deployments. | ||
| This improves the security of Kubernetes based deployments by enforcing the principle of least privilege across all pods and containers. |
There was a problem hiding this comment.
I'd also soften this to just "harden"... I don't think we can confidently claim "least possible privilege", and definitely not on "all pods and contains"
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com> Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> [ci]
[ci] Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
Fix https://github.com/DACH-NY/canton-network-internal/issues/5825
Cluster test https://app.circleci.com/pipelines/github/DACH-NY/canton-network-internal/72353
Deploy upgrade https://app.circleci.com/pipelines/github/DACH-NY/canton-network-internal/72354