Feat(#199): initial test setup for restrictes PSS/PSA with K8s 1.25

OWASP · Mar 6, 2023 · 06d9966 · 06d9966
1 parent f2dbe50
commit 06d9966
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 3 deletions.
diff --git a/helm/wrongsecrets-ctf-party/values.yaml b/helm/wrongsecrets-ctf-party/values.yaml
@@ -55,6 +55,15 @@ balancer:
     limits:
       memory: 1024Mi
       cpu: 1000m
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
   # -- Optional Configure kubernetes scheduling affinity for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
   affinity: {}
   # -- Optional Configure kubernetes toleration for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
@@ -129,6 +138,11 @@ wrongsecrets:
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
   # -- Optional environment variables to set for each JuiceShop instance (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
   env:
     - name: K8S_ENV
@@ -196,6 +210,11 @@ virtualdesktop:
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
   runtimeClassName: {}
   affinity: {}
   # -- Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
@@ -220,7 +239,15 @@ wrongsecretsCleanup:
       memory: 256Mi
     limits:
       memory: 256Mi
-  securityContext: {}
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
   # -- Optional Configure kubernetes scheduling affinity for the wrongsecretsCleanup Job(see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
   affinity: {}
   # -- Optional Configure kubernetes toleration for the wrongsecretsCleanup Job (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)

diff --git a/wrongsecrets-balancer/src/kubernetes.js b/wrongsecrets-balancer/src/kubernetes.js
@@ -34,6 +34,7 @@ const createNameSpaceForTeam = async (team) => {
     },
     labels: {
       name: `t-${team}`,
+      'pod-security.kubernetes.io/enforce': 'restricted',
     },
   };
   k8sCoreApi.createNamespace(namedNameSpace).catch((error) => {
@@ -131,6 +132,8 @@ const createK8sDeploymentForTeam = async ({ team, passcodeHash }) => {
                 allowPrivilegeEscalation: false,
                 readOnlyRootFilesystem: true,
                 runAsNonRoot: true,
+                capabilities: {drop: [ALL]},
+                seccompProfile: {type: RuntimeDefault},
               },
               env: [
                 {
@@ -385,6 +388,8 @@ const createAWSDeploymentForTeam = async ({ team, passcodeHash }) => {
                 allowPrivilegeEscalation: false,
                 readOnlyRootFilesystem: true,
                 runAsNonRoot: true,
+                capabilities: {drop: [ALL]},
+                seccompProfile: {type: RuntimeDefault},
               },
               env: [
                 {
@@ -1088,8 +1093,11 @@ const createDesktopDeploymentForTeam = async ({ team, passcodeHash }) => {
               },
               // resources: get('virtualdesktop.resources'),
               securityContext: {
-                // allowPrivilegeEscalation: false,
-                // readOnlyRootFilesystem: true,
+                allowPrivilegeEscalation: false,
+                readOnlyRootFilesystem: true,
+                runAsNonRoot: true,
+                capabilities: {drop: [ALL]},
+                seccompProfile: {type: RuntimeDefault},
               },
               env: [...get('virtualdesktop.env', [])],
               envFrom: get('virtualdesktop.envFrom'),