From ce8992084fc99a2944ebbf72dfde488c25a4dc3e Mon Sep 17 00:00:00 2001 From: biswajit-9776 <115724497+biswajit-9776@users.noreply.github.com> Date: Fri, 16 Aug 2024 18:02:28 +0530 Subject: [PATCH] Added securityContext profiles for deployments failing PSS restricted level (#2836) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Added securityContext for profile-controller deployments Signed-off-by: biswajit-9776 * Fixed PSS warnings for containers kfam and manager Signed-off-by: biswajit-9776 * Added securitycontext profiles to dex and oauth2-proxy deployments Signed-off-by: biswajit-9776 * Added seccompProfile for cluster-local-gateway Signed-off-by: biswajit-9776 * Added securityContext to cronjob Signed-off-by: biswajit-9776 * Added securityContext to pipelines pods Signed-off-by: biswajit-9776 * trigger GitHub actions Signed-off-by: biswajit-9776 * trigger GitHub actions Signed-off-by: biswajit-9776 * Undoing changes to cronjob Signed-off-by: biswajit-9776 --------- Signed-off-by: biswajit-9776 Signed-off-by: Patrick Schönthaler --- contrib/security/PSS/patches/cache-server.yaml | 17 +++++++++++++++++ .../PSS/patches/cluster-local-gateway.yaml | 12 ++++++++++++ contrib/security/PSS/patches/dex.yaml | 17 +++++++++++++++++ contrib/security/PSS/patches/kfam.yaml | 17 +++++++++++++++++ .../kubeflow-pipelines-profile-controller.yaml | 17 +++++++++++++++++ contrib/security/PSS/patches/manager.yaml | 17 +++++++++++++++++ .../PSS/patches/metadata-envoy-deployment.yaml | 17 +++++++++++++++++ .../PSS/patches/metadata-grpc-deployment.yaml | 17 +++++++++++++++++ .../security/PSS/patches/metadata-writer.yaml | 17 +++++++++++++++++ contrib/security/PSS/patches/minio.yaml | 17 +++++++++++++++++ .../patches/ml-pipeline-persistenceagent.yaml | 17 +++++++++++++++++ .../patches/ml-pipeline-scheduledworkflow.yaml | 17 +++++++++++++++++ .../security/PSS/patches/ml-pipeline-ui.yaml | 17 +++++++++++++++++ .../PSS/patches/ml-pipeline-viewer-crd.yaml | 17 +++++++++++++++++ .../ml-pipeline-visualizationserver.yaml | 17 +++++++++++++++++ contrib/security/PSS/patches/ml-pipeline.yaml | 17 +++++++++++++++++ contrib/security/PSS/patches/mysql.yaml | 17 +++++++++++++++++ contrib/security/PSS/patches/oauth2-proxy.yaml | 18 ++++++++++++++++++ 18 files changed, 302 insertions(+) create mode 100644 contrib/security/PSS/patches/cache-server.yaml create mode 100644 contrib/security/PSS/patches/cluster-local-gateway.yaml create mode 100644 contrib/security/PSS/patches/dex.yaml create mode 100644 contrib/security/PSS/patches/kfam.yaml create mode 100644 contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml create mode 100644 contrib/security/PSS/patches/manager.yaml create mode 100644 contrib/security/PSS/patches/metadata-envoy-deployment.yaml create mode 100644 contrib/security/PSS/patches/metadata-grpc-deployment.yaml create mode 100644 contrib/security/PSS/patches/metadata-writer.yaml create mode 100644 contrib/security/PSS/patches/minio.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline-ui.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml create mode 100644 contrib/security/PSS/patches/ml-pipeline.yaml create mode 100644 contrib/security/PSS/patches/mysql.yaml create mode 100644 contrib/security/PSS/patches/oauth2-proxy.yaml diff --git a/contrib/security/PSS/patches/cache-server.yaml b/contrib/security/PSS/patches/cache-server.yaml new file mode 100644 index 0000000000..e62a8bcc49 --- /dev/null +++ b/contrib/security/PSS/patches/cache-server.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cache-server +spec: + template: + spec: + containers: + - name: server + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/cluster-local-gateway.yaml b/contrib/security/PSS/patches/cluster-local-gateway.yaml new file mode 100644 index 0000000000..09b890872f --- /dev/null +++ b/contrib/security/PSS/patches/cluster-local-gateway.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cluster-local-gateway +spec: + template: + spec: + containers: + - name: istio-proxy + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/contrib/security/PSS/patches/dex.yaml b/contrib/security/PSS/patches/dex.yaml new file mode 100644 index 0000000000..d82ecba673 --- /dev/null +++ b/contrib/security/PSS/patches/dex.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dex +spec: + template: + spec: + containers: + - name: dex + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/kfam.yaml b/contrib/security/PSS/patches/kfam.yaml new file mode 100644 index 0000000000..cfd999f56a --- /dev/null +++ b/contrib/security/PSS/patches/kfam.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: profiles-deployment +spec: + template: + spec: + containers: + - name: kfam + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml new file mode 100644 index 0000000000..9c29bfb9ab --- /dev/null +++ b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kubeflow-pipelines-profile-controller +spec: + template: + spec: + containers: + - name: profile-controller + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/manager.yaml b/contrib/security/PSS/patches/manager.yaml new file mode 100644 index 0000000000..cbf3f3579d --- /dev/null +++ b/contrib/security/PSS/patches/manager.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: profiles-deployment +spec: + template: + spec: + containers: + - name: manager + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml new file mode 100644 index 0000000000..ff0370c0f5 --- /dev/null +++ b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metadata-envoy-deployment +spec: + template: + spec: + containers: + - name: container + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml new file mode 100644 index 0000000000..778f849a08 --- /dev/null +++ b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metadata-grpc-deployment +spec: + template: + spec: + containers: + - name: container + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/metadata-writer.yaml b/contrib/security/PSS/patches/metadata-writer.yaml new file mode 100644 index 0000000000..ada39a1bc1 --- /dev/null +++ b/contrib/security/PSS/patches/metadata-writer.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metadata-writer +spec: + template: + spec: + containers: + - name: main + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/minio.yaml b/contrib/security/PSS/patches/minio.yaml new file mode 100644 index 0000000000..0dc2a0e5fb --- /dev/null +++ b/contrib/security/PSS/patches/minio.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio +spec: + template: + spec: + containers: + - name: minio + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml new file mode 100644 index 0000000000..61aa1f2a69 --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-persistenceagent +spec: + template: + spec: + containers: + - name: ml-pipeline-persistenceagent + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml new file mode 100644 index 0000000000..72e8773638 --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-scheduledworkflow +spec: + template: + spec: + containers: + - name: ml-pipeline-scheduledworkflow + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-ui.yaml b/contrib/security/PSS/patches/ml-pipeline-ui.yaml new file mode 100644 index 0000000000..c3ce8228d5 --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline-ui.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-ui +spec: + template: + spec: + containers: + - name: ml-pipeline-ui + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml new file mode 100644 index 0000000000..cf52aef9e7 --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-viewer-crd +spec: + template: + spec: + containers: + - name: ml-pipeline-viewer-crd + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml new file mode 100644 index 0000000000..1673b60c66 --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-visualizationserver +spec: + template: + spec: + containers: + - name: ml-pipeline-visualizationserver + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline.yaml b/contrib/security/PSS/patches/ml-pipeline.yaml new file mode 100644 index 0000000000..67fc9a41f8 --- /dev/null +++ b/contrib/security/PSS/patches/ml-pipeline.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline +spec: + template: + spec: + containers: + - name: ml-pipeline-api-server + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/mysql.yaml b/contrib/security/PSS/patches/mysql.yaml new file mode 100644 index 0000000000..257264d6a3 --- /dev/null +++ b/contrib/security/PSS/patches/mysql.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mysql +spec: + template: + spec: + containers: + - name: mysql + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL diff --git a/contrib/security/PSS/patches/oauth2-proxy.yaml b/contrib/security/PSS/patches/oauth2-proxy.yaml new file mode 100644 index 0000000000..007e4d8bdc --- /dev/null +++ b/contrib/security/PSS/patches/oauth2-proxy.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: oauth2-proxy +spec: + replicas: 2 + template: + spec: + containers: + - name: oauth2-proxy + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL