Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add security field to Dogu-CR and generate SecurityContext #222

Open
wants to merge 25 commits into
base: develop
Choose a base branch
from
Open

Add security field to Dogu-CR and generate SecurityContext #222

wants to merge 25 commits into from

Conversation

jelemux
Copy link
Contributor

@jelemux jelemux commented Dec 13, 2024

Resolves #221

@jelemux
Copy link
Contributor Author

jelemux commented Dec 13, 2024

Still WIP, do not merge

jelemux and others added 16 commits December 13, 2024 17:50
@jelemux
Merge branch 'refs/heads/develop' into feature/221_security_context
a8c7174 
# Conflicts:
#	controllers/resource/podSpecBuilder.go
@jelemux
#221 Fix test after develop merge
971a452
@nroeske
#221 upsert deployment when dogu cr changed security context
9a34e3e
@nroeske
Merge branch 'feature/221_security_context' into feature/221_security…
69fb5fb 
…_context_update_deployment
@nroeske
#221 set resourceDoguFetcher in SecurityContextmanager
0c5cc24
@jelemux
#221 Validate security
fbca234
@nroeske
#221 complete tests work in progress
e16bb5e
@nroeske
Merge branch 'feature/221_security_context' into feature/221_security…
1063464 
…_context_update_deployment
@nroeske
#221 Validate security in doguSecurityContextManager
d32eb1b
@jelemux
#221 Update dependencies
895da43
@nroeske
#223 add eventRecorder
daaeb0c
@jelemux
Merge remote-tracking branch 'refs/remotes/origin/feature/221_securit…
3092c07 
…y_context_update_deployment' into feature/221_security_context
@jelemux
refactor local dogu fetcher to use simple name
4bfac30
@jelemux
#221 fix some tests
0d6ab29
@jelemux
#221 use local dogu fetcher to update deployment
f55accb
@jelemux
#221 fix flawed deep-equal-based comparison
dcb2ab4
nhinze23
nhinze23 reviewed Dec 23, 2024
View reviewed changes
api/v2/dogu_types.go
@@ -42,6 +47,16 @@ const (
DoguLabelVersion = "dogu.version"
)

// AllCapabilities are all possible values for capabilities.
var AllCapabilities = func() []Capability {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This var would fit better in the cesapp-lib

nhinze23
nhinze23 reviewed Dec 23, 2024
View reviewed changes
api/v2/dogu_types_security.go
// AppArmorProfile defines a pod or container's AppArmor settings.
// +union
type AppArmorProfile struct {
// type indicates which kind of AppArmor profile will be applied.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// type indicates which kind of AppArmor profile will be applied.
// Type indicates which kind of AppArmor profile will be applied.

nhinze23
nhinze23 reviewed Dec 23, 2024
View reviewed changes
api/v2/dogu_types_security.go
// +unionDiscriminator
Type AppArmorProfileType `json:"type"`

// localhostProfile indicates a profile loaded on the node that should be used.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// localhostProfile indicates a profile loaded on the node that should be used.
// LocalhostProfile indicates a profile loaded on the node that should be used.

nhinze23
nhinze23 reviewed Dec 23, 2024
View reviewed changes
api/v2/dogu_types_test.go
}{
{"valid empty", args{&Dogu{}}, assert.NoError},
{"valid add filled", args{&Dogu{Spec: DoguSpec{Security: Security{Capabilities: Capabilities{Add: []Capability{core.AuditControl}}}}}}, assert.NoError},
{"valid add filled", args{&Dogu{Spec: DoguSpec{Security: Security{Capabilities: Capabilities{Drop: []Capability{core.AuditControl}}}}}}, assert.NoError},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
{"valid add filled", args{&Dogu{Spec: DoguSpec{Security: Security{Capabilities: Capabilities{Drop: []Capability{core.AuditControl}}}}}}, assert.NoError},
{"valid drop filled", args{&Dogu{Spec: DoguSpec{Security: Security{Capabilities: Capabilities{Drop: []Capability{core.AuditControl}}}}}}, assert.NoError},

nhinze23
nhinze23 reviewed Dec 23, 2024
View reviewed changes
controllers/resource/securityContext.go
seccompProfile := seccompProfile(doguResource.Spec.Security.SeccompProfile)

readOnlyRootFS := isReadOnlyRootFS(dogu, doguResource)
// We never want those to be true and don't respect the dogu descriptor's privileged flag which is deprecated anyway.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice 👍 This flag was only used by the registrator dogu which is no longer needed.

nhinze23
nhinze23 reviewed Dec 23, 2024
View reviewed changes
controllers/resource/resource_generator.go
SecurityContext: &corev1.SecurityContext{
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{"ALL"},
Add: []corev1.Capability{"CHOWN"},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The init container also needs DAC_OVERRIDE.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nhinze23 nhinze23 nhinze23 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add (Pod)SecurityContext to Dogus-Deployments
3 participants
@jelemux @nhinze23 @nroeske