Skip to content

Commit 6d4e9fa

Browse files
committed
feat(chart): Improved default security context
Signed-off-by: Steve Hipwell <[email protected]>
1 parent 05d086b commit 6d4e9fa

File tree

4 files changed

+57
-25
lines changed

4 files changed

+57
-25
lines changed

charts/karpenter-crd/README.md

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# karpenter-crd
22

3-
![Version: 0.36.0](https://img.shields.io/badge/Version-0.36.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.36.0](https://img.shields.io/badge/AppVersion-0.36.0-informational?style=flat-square)
3+
![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square)
44

55
A Helm chart for Karpenter Custom Resource Definitions (CRDs).
66

@@ -10,6 +10,12 @@ A Helm chart for Karpenter Custom Resource Definitions (CRDs).
1010

1111
* <https://github.com/aws/karpenter/>
1212

13+
## Values
14+
15+
| Key | Type | Default | Description |
16+
|-----|------|---------|-------------|
17+
| additionalAnnotations | object | `{}` | Additional annotations for the custom resource definitions. |
18+
1319
----------------------------------------------
1420

1521
Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/).

charts/karpenter/README.md

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -47,13 +47,16 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.3.0 \
4747
| controller.containerName | string | `"controller"` | Distinguishing container name (containerName: karpenter-controller). |
4848
| controller.env | list | `[]` | Additional environment variables for the controller pod. |
4949
| controller.envFrom | list | `[]` | |
50-
| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts for the controller pod. |
50+
| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts for the controller container. |
5151
| controller.healthProbe.port | int | `8081` | The container port to use for http health probe. |
5252
| controller.image.digest | string | `"sha256:23876d27c39f4b99ad41ee245319fc2a2fa499183131e9cfccb550658d003045"` | SHA256 digest of the controller image. |
5353
| controller.image.repository | string | `"public.ecr.aws/karpenter/controller"` | Repository path to the controller image. |
5454
| controller.image.tag | string | `"1.3.0"` | Tag of the controller image. |
5555
| controller.metrics.port | int | `8080` | The container port to use for metrics. |
56-
| controller.resources | object | `{}` | Resources for the controller pod. |
56+
| controller.resources | object | `{}` | Resources for the controller container. |
57+
| controller.securityContext.appArmorProfile | object | `{}` | AppArmor profile for the controller container. |
58+
| controller.securityContext.seLinuxOptions | object | `{}` | SELinux options for the controller container. |
59+
| controller.securityContext.seccompProfile | object | `{}` | Seccomp profile for the controller container. |
5760
| controller.sidecarContainer | list | `[]` | Additional sidecarContainer config |
5861
| controller.sidecarVolumeMounts | list | `[]` | Additional volumeMounts for the sidecar - this will be added to the volume mounts on top of extraVolumeMounts |
5962
| dnsConfig | object | `{}` | Configure DNS Config for the pod |
@@ -72,7 +75,7 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.3.0 \
7275
| podDisruptionBudget.maxUnavailable | int | `1` | |
7376
| podDisruptionBudget.name | string | `"karpenter"` | |
7477
| podLabels | object | `{}` | Additional labels for the pod. |
75-
| podSecurityContext | object | `{"fsGroup":65532}` | SecurityContext for the pod. |
78+
| podSecurityContext | object | `{"fsGroup":65532,"runAsNonRoot":false,"seccompProfile":{"type":"RuntimeDefault"}}` | SecurityContext for the pod. |
7679
| priorityClassName | string | `"system-cluster-critical"` | PriorityClass name for the pod. |
7780
| replicas | int | `2` | Number of replicas. |
7881
| revisionHistoryLimit | int | `10` | The number of old ReplicaSets to retain to allow rollback. |
@@ -88,15 +91,16 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.3.0 \
8891
| settings.batchIdleDuration | string | `"1s"` | The maximum amount of time with no new ending pods that if exceeded ends the current batching window. If pods arrive faster than this time, the batching window will be extended up to the maxDuration. If they arrive slower, the pods will be batched separately. |
8992
| settings.batchMaxDuration | string | `"10s"` | The maximum length of a batch window. The longer this is, the more pods we can consider for provisioning at one time which usually results in fewer but larger nodes. |
9093
| settings.clusterCABundle | string | `""` | Cluster CA bundle for TLS configuration of provisioned nodes. If not set, this is taken from the controller's TLS configuration for the API server. |
91-
| settings.clusterEndpoint | string | `""` | Cluster endpoint. If not set, will be discovered during startup (EKS only) |
94+
| settings.clusterEndpoint | string | `""` | Cluster endpoint. If not set, will be discovered during startup (EKS only). |
9295
| settings.clusterName | string | `""` | Cluster name. |
93-
| settings.featureGates | object | `{"nodeRepair":false,"reservedCapacity":false,"spotToSpotConsolidation":false}` | Feature Gate configuration values. Feature Gates will follow the same graduation process and requirements as feature gates in Kubernetes. More information here https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features |
96+
| settings.eksControlPlane | bool | `false` | Marking this true means that your cluster is running with an EKS control plane and Karpenter should attempt to discover cluster details from the DescribeCluster API. |
97+
| settings.featureGates | object | `{"nodeRepair":false,"reservedCapacity":false,"spotToSpotConsolidation":false}` | Feature Gate configuration values. Feature Gates will follow the same graduation process and requirements as feature gates in Kubernetes. More information here https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features. |
9498
| settings.featureGates.nodeRepair | bool | `false` | nodeRepair is ALPHA and is disabled by default. Setting this to true will enable node repair. |
9599
| settings.featureGates.reservedCapacity | bool | `false` | reservedCapacity is ALPHA and is disabled by default. Setting this will enable native on-demand capacity reservation support. |
96100
| settings.featureGates.spotToSpotConsolidation | bool | `false` | spotToSpotConsolidation is ALPHA and is disabled by default. Setting this to true will enable spot replacement consolidation for both single and multi-node consolidation. |
97-
| settings.interruptionQueue | string | `""` | Interruption queue is the name of the SQS queue used for processing interruption events from EC2 Interruption handling is disabled if not specified. Enabling interruption handling may require additional permissions on the controller service account. Additional permissions are outlined in the docs. |
98-
| settings.isolatedVPC | bool | `false` | If true then assume we can't reach AWS services which don't have a VPC endpoint This also has the effect of disabling look-ups to the AWS pricing endpoint |
99-
| settings.reservedENIs | string | `"0"` | Reserved ENIs are not included in the calculations for max-pods or kube-reserved This is most often used in the VPC CNI custom networking setup https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html |
101+
| settings.interruptionQueue | string | `""` | Interruption queue is the name of the SQS queue used for processing interruption events from EC2. Interruption handling is disabled if not specified. Enabling interruption handling may require additional permissions on the controller service account. Additional permissions are outlined in the docs. |
102+
| settings.isolatedVPC | bool | `false` | If true then assume we can't reach AWS services which don't have a VPC endpoint. This also has the effect of disabling look-ups to the AWS pricing endpoint. |
103+
| settings.reservedENIs | string | `"0"` | Reserved ENIs are not included in the calculations for max-pods or kube-reserved. This is most often used in the VPC CNI custom networking setup https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html. |
100104
| settings.vmMemoryOverheadPercent | float | `0.075` | The VM memory overhead as a percent that will be subtracted from the total memory for all instance types. The value of `0.075` equals to 7.5%. |
101105
| strategy | object | `{"rollingUpdate":{"maxUnavailable":1}}` | Strategy for updating the pod. |
102106
| terminationGracePeriodSeconds | string | `nil` | Override the default termination grace period for the pod. |

charts/karpenter/templates/deployment.yaml

Lines changed: 18 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -63,16 +63,29 @@ spec:
6363
containers:
6464
- name: {{ include "karpenter.controller.containerName" . }}
6565
securityContext:
66+
privileged: false
67+
allowPrivilegeEscalation: false
68+
readOnlyRootFilesystem: true
69+
runAsNonRoot: true
6670
runAsUser: 65532
6771
runAsGroup: 65532
68-
runAsNonRoot: true
69-
seccompProfile:
70-
type: RuntimeDefault
71-
allowPrivilegeEscalation: false
7272
capabilities:
7373
drop:
7474
- ALL
75-
readOnlyRootFilesystem: true
75+
{{- with .Values.controller.securityContext }}
76+
{{- with .appArmorProfile }}
77+
appArmorProfile:
78+
{{- toYaml . | nindent 14}}
79+
{{- end }}
80+
{{- with .seLinuxOptions }}
81+
seLinuxOptions:
82+
{{- toYaml . | nindent 14}}
83+
{{- end }}
84+
{{- with .seccompProfile }}
85+
seccompProfile:
86+
{{- toYaml . | nindent 14}}
87+
{{- end }}
88+
{{- end }}
7689
image: {{ include "karpenter.controller.image" . }}
7790
imagePullPolicy: {{ .Values.imagePullPolicy }}
7891
env:

charts/karpenter/values.yaml

Lines changed: 20 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,10 @@ podDisruptionBudget:
5151
maxUnavailable: 1
5252
# -- SecurityContext for the pod.
5353
podSecurityContext:
54+
runAsNonRoot: false
5455
fsGroup: 65532
56+
seccompProfile:
57+
type: RuntimeDefault
5558
# -- PriorityClass name for the pod.
5659
priorityClassName: system-cluster-critical
5760
# -- Override the default termination grace period for the pod.
@@ -116,7 +119,14 @@ controller:
116119
# - name: AWS_REGION
117120
# value: eu-west-1
118121
envFrom: []
119-
# -- Resources for the controller pod.
122+
securityContext:
123+
# -- AppArmor profile for the controller container.
124+
appArmorProfile: {}
125+
# -- SELinux options for the controller container.
126+
seLinuxOptions: {}
127+
# -- Seccomp profile for the controller container.
128+
seccompProfile: {}
129+
# -- Resources for the controller container.
120130
resources: {}
121131
# We usually recommend not to specify default resources and to leave this as a conscious
122132
# choice for the user. This also increases chances charts run on environments with little
@@ -128,8 +138,7 @@ controller:
128138
# limits:
129139
# cpu: 1
130140
# memory: 1Gi
131-
132-
# -- Additional volumeMounts for the controller pod.
141+
# -- Additional volumeMounts for the controller container.
133142
extraVolumeMounts: []
134143
# - name: aws-iam-token
135144
# mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
@@ -165,24 +174,24 @@ settings:
165174
clusterCABundle: ""
166175
# -- Cluster name.
167176
clusterName: ""
168-
# -- Cluster endpoint. If not set, will be discovered during startup (EKS only)
177+
# -- Cluster endpoint. If not set, will be discovered during startup (EKS only).
169178
clusterEndpoint: ""
170-
# -- If true then assume we can't reach AWS services which don't have a VPC endpoint
171-
# This also has the effect of disabling look-ups to the AWS pricing endpoint
179+
# -- If true then assume we can't reach AWS services which don't have a VPC endpoint.
180+
# This also has the effect of disabling look-ups to the AWS pricing endpoint.
172181
isolatedVPC: false
173-
# Marking this true means that your cluster is running with an EKS control plane and Karpenter should attempt to discover cluster details from the DescribeCluster API
182+
# -- Marking this true means that your cluster is running with an EKS control plane and Karpenter should attempt to discover cluster details from the DescribeCluster API.
174183
eksControlPlane: false
175184
# -- The VM memory overhead as a percent that will be subtracted from the total memory for all instance types. The value of `0.075` equals to 7.5%.
176185
vmMemoryOverheadPercent: 0.075
177-
# -- Interruption queue is the name of the SQS queue used for processing interruption events from EC2
186+
# -- Interruption queue is the name of the SQS queue used for processing interruption events from EC2.
178187
# Interruption handling is disabled if not specified. Enabling interruption handling may
179188
# require additional permissions on the controller service account. Additional permissions are outlined in the docs.
180189
interruptionQueue: ""
181-
# -- Reserved ENIs are not included in the calculations for max-pods or kube-reserved
182-
# This is most often used in the VPC CNI custom networking setup https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html
190+
# -- Reserved ENIs are not included in the calculations for max-pods or kube-reserved.
191+
# This is most often used in the VPC CNI custom networking setup https://docs.aws.amazon.com/eks/latest/userguide/cni-custom-network.html.
183192
reservedENIs: "0"
184193
# -- Feature Gate configuration values. Feature Gates will follow the same graduation process and requirements as feature gates
185-
# in Kubernetes. More information here https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features
194+
# in Kubernetes. More information here https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features.
186195
featureGates:
187196
# -- nodeRepair is ALPHA and is disabled by default.
188197
# Setting this to true will enable node repair.

0 commit comments

Comments
 (0)