From 49d2c9cc1b82971927b73b5b62e8a47ae5f310f6 Mon Sep 17 00:00:00 2001 From: biswajit-9776 <115724497+biswajit-9776@users.noreply.github.com> Date: Fri, 16 Aug 2024 18:02:28 +0530 Subject: [PATCH] Added securityContext profiles for deployments failing PSS restricted level (#2836) * Added securityContext for profile-controller deployments Signed-off-by: biswajit-9776 * Fixed PSS warnings for containers kfam and manager Signed-off-by: biswajit-9776 * Added securitycontext profiles to dex and oauth2-proxy deployments Signed-off-by: biswajit-9776 * Added seccompProfile for cluster-local-gateway Signed-off-by: biswajit-9776 * Added securityContext to cronjob Signed-off-by: biswajit-9776 * Added securityContext to pipelines pods Signed-off-by: biswajit-9776 * trigger GitHub actions Signed-off-by: biswajit-9776 * trigger GitHub actions Signed-off-by: biswajit-9776 * Undoing changes to cronjob Signed-off-by: biswajit-9776 --------- Signed-off-by: biswajit-9776 --- contrib/security/PSS/patches/cache-server.yaml | 17 +++++++++++++++++ .../PSS/patches/cluster-local-gateway.yaml | 12 ++++++++++++ contrib/security/PSS/patches/dex.yaml | 17 +++++++++++++++++ contrib/security/PSS/patches/kfam.yaml | 17 +++++++++++++++++ .../kubeflow-pipelines-profile-controller.yaml | 17 +++++++++++++++++ contrib/security/PSS/patches/manager.yaml | 17 +++++++++++++++++ .../PSS/patches/metadata-envoy-deployment.yaml | 17 +++++++++++++++++ .../PSS/patches/metadata-grpc-deployment.yaml | 17 +++++++++++++++++ .../security/PSS/patches/metadata-writer.yaml | 17 +++++++++++++++++ contrib/security/PSS/patches/minio.yaml | 17 +++++++++++++++++ .../patches/ml-pipeline-persistenceagent.yaml | 17 +++++++++++++++++ .../patches/ml-pipeline-scheduledworkflow.yaml | 17 +++++++++++++++++ .../security/PSS/patches/ml-pipeline-ui.yaml | 17 +++++++++++++++++ .../PSS/patches/ml-pipeline-viewer-crd.yaml | 17 +++++++++++++++++ .../ml-pipeline-visualizationserver.yaml | 17 +++++++++++++++++ contrib/security/PSS/patches/ml-pipeline.yaml | 17 +++++++++++++++++ contrib/security/PSS/patches/mysql.yaml | 17 +++++++++++++++++ contrib/security/PSS/patches/oauth2-proxy.yaml | 18 ++++++++++++++++++ 18 files changed, 302 insertions(+) create mode 100644 contrib/security/PSS/patches/cache-server.yaml create mode 100644 contrib/security/PSS/patches/cluster-local-gateway.yaml create mode 100644 contrib/security/PSS/patches/dex.yaml create mode 100644 contrib/security/PSS/patches/kfam.yaml create mode 100644 contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml create mode 100644 contrib/security/PSS/patches/manager.yaml create mode 100644 contrib/security/PSS/patches/metadata-envoy-deployment.yaml create mode 100644 contrib/security/PSS/patches/metadata-grpc-deployment.yaml create mode 100644 contrib/security/PSS/patches/metadata-writer.yaml create mode 100644 contrib/security/PSS/patches/minio.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline-ui.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline.yaml create mode 100644 contrib/security/PSS/patches/mysql.yaml create mode 100644 contrib/security/PSS/patches/oauth2-proxy.yaml diff --git a/contrib/security/PSS/patches/cache-server.yaml b/contrib/security/PSS/patches/cache-server.yaml new file mode 100644 index 000000000..e62a8bcc4 --- /dev/null +++ b/contrib/security/PSS/patches/cache-server.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cache-server +spec: + template: + spec: + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/cluster-local-gateway.yaml b/contrib/security/PSS/patches/cluster-local-gateway.yaml new file mode 100644 index 000000000..09b890872 --- /dev/null +++ b/contrib/security/PSS/patches/cluster-local-gateway.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cluster-local-gateway +spec: + template: + spec: + containers: + - name: istio-proxy + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/contrib/security/PSS/patches/dex.yaml b/contrib/security/PSS/patches/dex.yaml new file mode 100644 index 000000000..d82ecba67 --- /dev/null +++ b/contrib/security/PSS/patches/dex.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dex +spec: + template: + spec: + containers: + - name: dex + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/kfam.yaml b/contrib/security/PSS/patches/kfam.yaml new file mode 100644 index 000000000..cfd999f56 --- /dev/null +++ b/contrib/security/PSS/patches/kfam.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: profiles-deployment +spec: + template: + spec: + containers: + - name: kfam + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml new file mode 100644 index 000000000..9c29bfb9a --- /dev/null +++ b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kubeflow-pipelines-profile-controller +spec: + template: + spec: + containers: + - name: profile-controller + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/manager.yaml b/contrib/security/PSS/patches/manager.yaml new file mode 100644 index 000000000..cbf3f3579 --- /dev/null +++ b/contrib/security/PSS/patches/manager.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: profiles-deployment +spec: + template: + spec: + containers: + - name: manager + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml new file mode 100644 index 000000000..ff0370c0f --- /dev/null +++ b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metadata-envoy-deployment +spec: + template: + spec: + containers: + - name: container + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml new file mode 100644 index 000000000..778f849a0 --- /dev/null +++ b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metadata-grpc-deployment +spec: + template: + spec: + containers: + - name: container + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/metadata-writer.yaml b/contrib/security/PSS/patches/metadata-writer.yaml new file mode 100644 index 000000000..ada39a1bc --- /dev/null +++ b/contrib/security/PSS/patches/metadata-writer.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metadata-writer +spec: + template: + spec: + containers: + - name: main + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/minio.yaml b/contrib/security/PSS/patches/minio.yaml new file mode 100644 index 000000000..0dc2a0e5f --- /dev/null +++ b/contrib/security/PSS/patches/minio.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio +spec: + template: + spec: + containers: + - name: minio + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml new file mode 100644 index 000000000..61aa1f2a6 --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-persistenceagent +spec: + template: + spec: + containers: + - name: ml-pipeline-persistenceagent + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml new file mode 100644 index 000000000..72e877363 --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-scheduledworkflow +spec: + template: + spec: + containers: + - name: ml-pipeline-scheduledworkflow + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-ui.yaml b/contrib/security/PSS/patches/ml-pipeline-ui.yaml new file mode 100644 index 000000000..c3ce8228d --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline-ui.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-ui +spec: + template: + spec: + containers: + - name: ml-pipeline-ui + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml new file mode 100644 index 000000000..cf52aef9e --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-viewer-crd +spec: + template: + spec: + containers: + - name: ml-pipeline-viewer-crd + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml new file mode 100644 index 000000000..1673b60c6 --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-visualizationserver +spec: + template: + spec: + containers: + - name: ml-pipeline-visualizationserver + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline.yaml b/contrib/security/PSS/patches/ml-pipeline.yaml new file mode 100644 index 000000000..67fc9a41f --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline +spec: + template: + spec: + containers: + - name: ml-pipeline-api-server + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/mysql.yaml b/contrib/security/PSS/patches/mysql.yaml new file mode 100644 index 000000000..257264d6a --- /dev/null +++ b/contrib/security/PSS/patches/mysql.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mysql +spec: + template: + spec: + containers: + - name: mysql + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/oauth2-proxy.yaml b/contrib/security/PSS/patches/oauth2-proxy.yaml new file mode 100644 index 000000000..007e4d8bd --- /dev/null +++ b/contrib/security/PSS/patches/oauth2-proxy.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: oauth2-proxy +spec: + replicas: 2 + template: + spec: + containers: + - name: oauth2-proxy + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL