Make deployments compliant with PSS policies (#234)

* make deployments compliant with PSS policies

Signed-off-by: Matias Charriere <[email protected]>

* remove NET_BIND cap

Signed-off-by: Matias Charriere <[email protected]>

* annotate psp

Signed-off-by: Matias Charriere <[email protected]>

* update changelog

Signed-off-by: Matias Charriere <[email protected]>

* install PSP based on values for cluster upgrades

Signed-off-by: Matias Charriere <[email protected]>

---------

Signed-off-by: Matias Charriere <[email protected]>

CHANGELOG.md

@@ -7,6 +7,14 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s
 
 ## [Unreleased]
 
+### Changed
+
+- Make App compliant with PSS policies ([#234](https://github.com/giantswarm/coredns-app/pull/234)):
+  - Set seccompProfile to `RuntimeDefault`.
+  - Fix capabilities typo.
+  - Remove `NET_BIND_SERVICE` capabilities.
+  - Set `runAsNonRoot` as true.
+
 ## [1.18.1] - 2023-08-30
 
 ### Fixed

helm/coredns-app/templates/deployment-masters.yaml

@@ -32,6 +32,9 @@ spec:
       securityContext:
         runAsUser: {{ .Values.userID }}
         runAsGroup: {{ .Values.groupID }}
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       tolerations:
       - effect: NoSchedule
         operator: "Exists"
@@ -70,10 +73,8 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
-            add:
-            - NET_BIND_SERVICE
             drop:
-            - all
+            - ALL
           readOnlyRootFilesystem: true
         volumeMounts:
         - name: config-volume

helm/coredns-app/templates/deployment-workers.yaml

@@ -31,6 +31,9 @@ spec:
       securityContext:
         runAsUser: {{ .Values.userID }}
         runAsGroup: {{ .Values.groupID }}
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       tolerations:
       - operator: "Exists"
         key: "node.cloudprovider.kubernetes.io/uninitialized"
@@ -54,10 +57,8 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
-            add:
-            - NET_BIND_SERVICE
             drop:
-            - all
+            - ALL
           readOnlyRootFilesystem: true
         volumeMounts:
         - name: config-volume

helm/coredns-app/templates/psp.yaml

@@ -1,9 +1,11 @@
-{{- if le (int .Capabilities.KubeVersion.Minor) 24 }}
+{{- if and (le (int .Capabilities.KubeVersion.Minor) 24) (not .Values.global.podSecurityStandards.enforced) }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ .Values.name }}
   namespace: {{ .Values.namespace }}
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
   labels:
     {{- include "labels.common" . | nindent 4 }}
 spec:

helm/coredns-app/values.schema.json

@@ -53,6 +53,19 @@
                 }
             }
         },
+        "global": {
+            "type": "object",
+            "properties": {
+                "podSecurityStandards": {
+                    "type": "object",
+                    "properties": {
+                        "enforced": {
+                            "type": "boolean"
+                        }
+                    }
+                }
+            }
+        },
         "groupID": {
             "type": "integer"
         },

helm/coredns-app/values.yaml

@@ -82,6 +82,11 @@ mastersInstance:
   nodeSelector:
     "node-role.kubernetes.io/control-plane": '""'
 
+
+global:
+  podSecurityStandards:
+    enforced: false
+
 # Uncomment and define `additionalLocalZones` to add additional local zones to CoreDNS config
 # additionalLocalZones: []