Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ Openshift ] Default security capabilities #328

Open
3 tasks done
andloh opened this issue Feb 8, 2024 · 2 comments
Open
3 tasks done

[ Openshift ] Default security capabilities #328

andloh opened this issue Feb 8, 2024 · 2 comments
Assignees
@ramizpolic
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. lifecycle/keep Denotes an issue or PR that should be preserved from going stale.

Comments

@andloh
Copy link

andloh commented Feb 8, 2024
edited
Loading

Preflight Checklist

  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I am not looking for support or already pursued the available support channels without success.
  • I agree to follow the Code of Conduct.

Vault Secrets Webhook Version

1.21.0

Installation Type

Official Helm chart

Bank-Vaults Version

No response

Kubernetes Version

1.25.16

Kubernetes Distribution/Provisioner

Openshift (4.12.46)

Expected Behavior

Ref #69 solved by @sagikazarmark in #149. It seems like only the UUID issue was resolved? Not the extended capabilities introduced in 1.15.2.

Actual Behavior

Not able to fetch secrets from vault due to to capabilities being added by default.

35s         Warning   FailedCreate        replicaset/test-deployment-init-seccontext-6bf988cf8d   Error creating: pods "test-deployment-init-seccontext-6bf988cf8d-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "CHOWN": capability may not be added, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "SETFCAP": capability may not be added, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "SETGID": capability may not be added, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "SETPCAP": capability may not be added, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "SETUID": capability may not be added.

Steps To Reproduce

Try to fetch secrets from vault using vault-secrets-webhook with version < 1.15.2 on Openshift

Configuration

  1. Webhook helm chart
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: vault-secrets-webhook
  namespace: vault
spec:
  interval: 5m
  chart:
    spec:
      chart: vault-secrets-webhook
      version: 1.21.0
      sourceRef:
        kind: HelmRepository
        name: bank-vaults
        namespace: vault
  values:
    resources:
      limits:
        memory: 512Mi
    secretsFailurePolicy: Fail
    configMapMutation: false
    podsFailurePolicy: Fail
    securityContext: {}
    env:
      REGISTRY_SKIP_VERIFY: true
  1. Test manifest
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-deployment-init-seccontext
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: test-deployment-init-seccontext
  template:
    metadata:
      labels:
        app.kubernetes.io/name: test-deployment-init-seccontext
      annotations:
        vault.security.banzaicloud.io/vault-skip-verify: "true"
        vault.security.banzaicloud.io/vault-path: "kubernetes"
        vault.security.banzaicloud.io/run-as-non-root: "true"
    spec:
      containers:
        - name: hallo
          image: ubuntu:latest
          command: ["sh", "-c", "echo $AWS_SECRET_ACCESS_KEY && echo going to sleep... && sleep 10000"]
          env:
          - name: AWS_SECRET_ACCESS_KEY
            value: vault:secret/data/accounts/aws#AWS_SECRET_ACCESS_KEY
          resources:
            limits:
              memory: "128Mi"
              cpu: "100m"
@andloh andloh added the kind/bug Categorizes issue or PR as related to a bug. label Feb 8, 2024
@andloh andloh changed the title [ Openshift ] Default security capabilities defaults [ Openshift ] Default security capabilities Feb 8, 2024
@ramizpolic
Copy link
Member

Thanks for reporting this @andloh, we also noticed a lot of issues coming from the OpenShift. Will address this in the upcoming releases!

@ramizpolic ramizpolic self-assigned this Feb 9, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Apr 14, 2024
@csatib02 csatib02 removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Apr 14, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Jun 16, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Jun 16, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Jun 16, 2024
@csatib02 csatib02 added lifecycle/keep Denotes an issue or PR that should be preserved from going stale. and removed lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. labels Jun 16, 2024
@jasaltvik
Copy link

@ramizpolic Any update on this? Do the https://github.com/bank-vaults/secrets-webhook project have better support for this? If it's possible to use as a drop-in replacement that is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ramizpolic ramizpolic

Labels
area/security kind/bug Categorizes issue or PR as related to a bug. lifecycle/keep Denotes an issue or PR that should be preserved from going stale.
Projects
Project backlog
Status: Next up
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jasaltvik @andloh @ramizpolic @csatib02