Added PSS profile seccompProfile to pods of istio (#2787)

* Added PSS profile seccompProfile to pods of istio Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Added seccompProfile to istio as kustomize component Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Undone changes made to istio/base Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Added seccomp files to common/istio-1-22/kubeflow-istio-resources/ Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Moved the seccompProfile patches to istio/base/patches Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Added newline character to a file Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> --------- Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
kubeflow · Jul 23, 2024 · a0468b8 · a0468b8
1 parent ea91efc
commit a0468b8
Show file tree

Hide file tree

Showing 7 changed files with 69 additions and 1 deletion.
diff --git a/common/istio-1-22/istio-install/base/kustomization.yaml b/common/istio-1-22/istio-install/base/kustomization.yaml
@@ -16,3 +16,5 @@ patches:
 - path: patches/disable-debugging.yaml
 - path: patches/istio-ingressgateway-remove-pdb.yaml
 - path: patches/istiod-remove-pdb.yaml
+- path: patches/seccomp-istio-ingressgateway.yaml
+- path: patches/seccomp-istiod.yaml
diff --git a/common/istio-1-22/istio-install/base/patches/seccomp-istio-ingressgateway.yaml b/common/istio-1-22/istio-install/base/patches/seccomp-istio-ingressgateway.yaml
@@ -0,0 +1,16 @@
+# Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited.
+# According to https://kubernetes.io/docs/concepts/security/pod-security-standards/#:~:text=undefined/null-,Seccomp%20(v1.19%2B),-Seccomp%20profile%20must
+# This is done to enable 'restricted' level security standards for the pods.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istio-ingressgateway
+  namespace: istio-system
+spec:
+  template:
+    spec:
+      containers:
+      - name: istio-proxy
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
diff --git a/common/istio-1-22/istio-install/base/patches/seccomp-istiod.yaml b/common/istio-1-22/istio-install/base/patches/seccomp-istiod.yaml
@@ -0,0 +1,16 @@
+# Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited.
+# According to https://kubernetes.io/docs/concepts/security/pod-security-standards/#:~:text=undefined/null-,Seccomp%20(v1.19%2B),-Seccomp%20profile%20must
+# This is done to enable 'restricted' level security standards for the pods.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istiod
+  namespace: istio-system
+spec:
+  template:
+    spec:
+      containers:
+      - name: discovery
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
diff --git a/common/istio-cni-1-22/istio-install/base/kustomization.yaml b/common/istio-cni-1-22/istio-install/base/kustomization.yaml
@@ -14,3 +14,5 @@ patches:
 - path: patches/disable-debugging.yaml
 - path: patches/istio-ingressgateway-remove-pdb.yaml
 - path: patches/istiod-remove-pdb.yaml
+- path: patches/seccomp-istio-ingressgateway.yaml
+- path: patches/seccomp-istiod.yaml
diff --git a/common/istio-cni-1-22/istio-install/base/patches/seccomp-istio-ingressgateway.yaml b/common/istio-cni-1-22/istio-install/base/patches/seccomp-istio-ingressgateway.yaml
@@ -0,0 +1,16 @@
+# Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited.
+# According to https://kubernetes.io/docs/concepts/security/pod-security-standards/#:~:text=undefined/null-,Seccomp%20(v1.19%2B),-Seccomp%20profile%20must
+# This is done to enable 'restricted' level security standards for the pods.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istio-ingressgateway
+  namespace: istio-system
+spec:
+  template:
+    spec:
+      containers:
+      - name: istio-proxy
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
diff --git a/common/istio-cni-1-22/istio-install/base/patches/seccomp-istiod.yaml b/common/istio-cni-1-22/istio-install/base/patches/seccomp-istiod.yaml
@@ -0,0 +1,16 @@
+# Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited.
+# According to https://kubernetes.io/docs/concepts/security/pod-security-standards/#:~:text=undefined/null-,Seccomp%20(v1.19%2B),-Seccomp%20profile%20must
+# This is done to enable 'restricted' level security standards for the pods.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istiod
+  namespace: istio-system
+spec:
+  template:
+    spec:
+      containers:
+      - name: discovery
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
diff --git a/contrib/security/PSS/static/baseline/kustomization.yaml b/contrib/security/PSS/static/baseline/kustomization.yaml
@@ -6,4 +6,4 @@ patches:
 - path: patches/istio-labels.yaml
 - path: patches/cert-manager-labels.yaml
 - path: patches/dex-labels.yaml
-- path: patches/oauth2-proxy-labels.yaml
+- path: patches/oauth2-proxy-labels.yaml