From cd9e53c45cbb34063445b107f15226549a4b6938 Mon Sep 17 00:00:00 2001 From: Christian Kotzbauer Date: Wed, 2 Aug 2023 12:19:33 +0200 Subject: [PATCH] feat: improve default security (#46) Signed-off-by: Christian Kotzbauer --- charts/kured/Chart.yaml | 2 +- charts/kured/README.md | 11 +++++++++-- charts/kured/values.yaml | 3 ++- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/charts/kured/Chart.yaml b/charts/kured/Chart.yaml index b2c63ba..9415a90 100644 --- a/charts/kured/Chart.yaml +++ b/charts/kured/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: "1.13.2" description: A Helm chart for kured name: kured -version: 4.7.0 +version: 5.0.0 home: https://github.com/kubereboot/kured maintainers: - name: ckotzbauer diff --git a/charts/kured/README.md b/charts/kured/README.md index d1365af..4e52a1f 100644 --- a/charts/kured/README.md +++ b/charts/kured/README.md @@ -23,6 +23,13 @@ The command removes all the Kubernetes components associated with the chart and ## Upgrade Notes +### From 4.x to 5.x + +We improved two security-related default-values: +- `hostNetwork` is set to `false` by default now. +- `readOnlyRootFilesystem` is set to `true` by default now. +Both parameters can be configured to its old values from 4.x + ### From 3.x to 4.x We have migrated the code and its release artifacts (helm charts, docker images, manifests) to an @@ -111,7 +118,7 @@ The following changes have been made compared to the stable chart: | `serviceAccount.name` | Service account name to create (or use if `serviceAccount.create` is false) | (chart fullname) | | `podSecurityPolicy.create` | Create podSecurityPolicy | `false` | | `containerSecurityContext.privileged ` | Enables `privileged` in container-specific security context | `true` | -| `containerSecurityContext.allowPrivilegeEscalation`| Enables `allowPrivilegeEscalation` in container-specific security context. If not set it won't be configured. | | +| `containerSecurityContext.readOnlyRootFilesystem`| Enables `readOnlyRootFilesystem` in container-specific security context. If not set it won't be configured. | `true` | | `resources` | Resources requests and limits. | `{}` | | `metrics.create` | Create a ServiceMonitor for prometheus-operator | `false` | | `metrics.namespace` | The namespace to create the ServiceMonitor in | `""` | @@ -128,7 +135,7 @@ The following changes have been made compared to the stable chart: | `priorityClassName` | Priority Class to be used by the pods | `""` | | `tolerations` | Tolerations to apply to the daemonset (eg to allow running on master) | `[{"key": "node-role.kubernetes.io/control-plane", "effect": "NoSchedule"}]` for Kubernetes 1.24.0 and greater, otherwise `[{"key": "node-role.kubernetes.io/master", "effect": "NoSchedule"}]`| | `affinity` | Affinity for the daemonset (ie, restrict which nodes kured runs on) | `{}` | -| `hostNetwork` | Pod uses the host network instead of the cluster network | `true` | +| `hostNetwork` | Pod uses the host network instead of the cluster network | `false` | | `nodeSelector` | Node Selector for the daemonset (ie, restrict which nodes kured runs on) | `{ "kubernetes.io/os": "linux" }` | | `volumeMounts` | Maps of volumes mount to mount | `{}` | | `volumes` | Maps of volumes to mount | `{}` | diff --git a/charts/kured/values.yaml b/charts/kured/values.yaml index 2ff1ffc..3a98f4c 100644 --- a/charts/kured/values.yaml +++ b/charts/kured/values.yaml @@ -70,11 +70,12 @@ podSecurityPolicy: containerSecurityContext: privileged: true # Give permission to nsenter /proc/1/ns/mnt + readOnlyRootFilesystem: true # allowPrivilegeEscalation: true # Needed when using defaultAllowPrivilegedEscalation: false in psp resources: {} -hostNetwork: true +hostNetwork: false metrics: create: false