From 06d99666e72a3cd93732bd1e0f35354344ec9d86 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Mon, 6 Mar 2023 21:00:11 +0100 Subject: [PATCH] Feat(#199): initial test setup for restrictes PSS/PSA with K8s 1.25 --- helm/wrongsecrets-ctf-party/values.yaml | 29 ++++++++++++++++++++++++- wrongsecrets-balancer/src/kubernetes.js | 12 ++++++++-- 2 files changed, 38 insertions(+), 3 deletions(-) diff --git a/helm/wrongsecrets-ctf-party/values.yaml b/helm/wrongsecrets-ctf-party/values.yaml index eb894648..81bb53ed 100644 --- a/helm/wrongsecrets-ctf-party/values.yaml +++ b/helm/wrongsecrets-ctf-party/values.yaml @@ -55,6 +55,15 @@ balancer: limits: memory: 1024Mi cpu: 1000m + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault # -- Optional Configure kubernetes scheduling affinity for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) affinity: {} # -- Optional Configure kubernetes toleration for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) @@ -129,6 +138,11 @@ wrongsecrets: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault # -- Optional environment variables to set for each JuiceShop instance (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: - name: K8S_ENV @@ -196,6 +210,11 @@ virtualdesktop: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault runtimeClassName: {} affinity: {} # -- Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) @@ -220,7 +239,15 @@ wrongsecretsCleanup: memory: 256Mi limits: memory: 256Mi - securityContext: {} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault # -- Optional Configure kubernetes scheduling affinity for the wrongsecretsCleanup Job(see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) affinity: {} # -- Optional Configure kubernetes toleration for the wrongsecretsCleanup Job (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) diff --git a/wrongsecrets-balancer/src/kubernetes.js b/wrongsecrets-balancer/src/kubernetes.js index c85d22d0..2834d5b5 100644 --- a/wrongsecrets-balancer/src/kubernetes.js +++ b/wrongsecrets-balancer/src/kubernetes.js @@ -34,6 +34,7 @@ const createNameSpaceForTeam = async (team) => { }, labels: { name: `t-${team}`, + 'pod-security.kubernetes.io/enforce': 'restricted', }, }; k8sCoreApi.createNamespace(namedNameSpace).catch((error) => { @@ -131,6 +132,8 @@ const createK8sDeploymentForTeam = async ({ team, passcodeHash }) => { allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, runAsNonRoot: true, + capabilities: {drop: [ALL]}, + seccompProfile: {type: RuntimeDefault}, }, env: [ { @@ -385,6 +388,8 @@ const createAWSDeploymentForTeam = async ({ team, passcodeHash }) => { allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, runAsNonRoot: true, + capabilities: {drop: [ALL]}, + seccompProfile: {type: RuntimeDefault}, }, env: [ { @@ -1088,8 +1093,11 @@ const createDesktopDeploymentForTeam = async ({ team, passcodeHash }) => { }, // resources: get('virtualdesktop.resources'), securityContext: { - // allowPrivilegeEscalation: false, - // readOnlyRootFilesystem: true, + allowPrivilegeEscalation: false, + readOnlyRootFilesystem: true, + runAsNonRoot: true, + capabilities: {drop: [ALL]}, + seccompProfile: {type: RuntimeDefault}, }, env: [...get('virtualdesktop.env', [])], envFrom: get('virtualdesktop.envFrom'),