feat(chart): Improved default security context

stevehipwell · stevehipwell · commit be448802dbcc · 2024-12-12T10:43:22.000Z
Signed-off-by: Steve Hipwell &lt;steve.hipwell@gmail.com&gt;
diff --git a/charts/karpenter/README.md b/charts/karpenter/README.md
@@ -45,15 +45,18 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.1.0 \
 | additionalLabels | object | `{}` | Additional labels to add into metadata. |
 | affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"karpenter.sh/nodepool","operator":"DoesNotExist"}]}]}},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity rules for scheduling the pod. If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels. |
 | controller.containerName | string | `"controller"` | Distinguishing container name (containerName: karpenter-controller). |
-| controller.env | list | `[]` | Additional environment variables for the controller pod. |
+| controller.env | list | `[]` | Additional environment variables for the controller container. |
 | controller.envFrom | list | `[]` |  |
-| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts for the controller pod. |
+| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts for the controller container. |
 | controller.healthProbe.port | int | `8081` | The container port to use for http health probe. |
 | controller.image.digest | string | `"sha256:51bca600197c7c6e6e0838549664b2c12c3f8dd4b23744ab28202ae97ca5aed1"` | SHA256 digest of the controller image. |
 | controller.image.repository | string | `"public.ecr.aws/karpenter/controller"` | Repository path to the controller image. |
 | controller.image.tag | string | `"1.1.0"` | Tag of the controller image. |
 | controller.metrics.port | int | `8080` | The container port to use for metrics. |
-| controller.resources | object | `{}` | Resources for the controller pod. |
+| controller.resources | object | `{}` | Resources for the controller container. |
+| controller.securityContext.appArmorProfile | object | `nil` | The AppArmor options to use by the controller container. |
+| controller.securityContext.seLinuxOptions | object | `nil` | The SELinux context to be applied to the controller container. |
+| controller.securityContext.seccompProfile | object | `{"type":"RuntimeDefault"}` | The seccomp options to use by the controller container. |
 | controller.sidecarContainer | list | `[]` | Additional sidecarContainer config |
 | controller.sidecarVolumeMounts | list | `[]` | Additional volumeMounts for the sidecar - this will be added to the volume mounts on top of extraVolumeMounts |
 | dnsConfig | object | `{}` | Configure DNS Config for the pod |
@@ -72,10 +75,11 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.1.0 \
 | podDisruptionBudget.maxUnavailable | int | `1` |  |
 | podDisruptionBudget.name | string | `"karpenter"` |  |
 | podLabels | object | `{}` | Additional labels for the pod. |
-| podSecurityContext | object | `{"fsGroup":65532}` | SecurityContext for the pod. |
+| podSecurityContext | object | `{"fsGroup":65532,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | SecurityContext for the pod. |
 | priorityClassName | string | `"system-cluster-critical"` | PriorityClass name for the pod. |
 | replicas | int | `2` | Number of replicas. |
 | revisionHistoryLimit | int | `10` | The number of old ReplicaSets to retain to allow rollback. |
+| schedulerName | string | `"default-scheduler"` | Specify which Kubernetes scheduler should dispatch the pod. |
 | service.annotations | object | `{}` | Additional annotations for the Service. |
 | serviceAccount.annotations | object | `{}` | Additional annotations for the ServiceAccount. |
 | serviceAccount.create | bool | `true` | Specifies if a ServiceAccount should be created. |
@@ -89,7 +93,6 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.1.0 \
 | settings.clusterCABundle | string | `""` | Cluster CA bundle for TLS configuration of provisioned nodes. If not set, this is taken from the controller's TLS configuration for the API server. |
 | settings.clusterEndpoint | string | `""` | Cluster endpoint. If not set, will be discovered during startup (EKS only) |
 | settings.clusterName | string | `""` | Cluster name. |
-| settings.eksControlPlane | bool | `false` | Marking this true means that your cluster is running with an EKS control plane and Karpenter should attempt to discover cluster details from the DescribeCluster API |
 | settings.featureGates | object | `{"nodeRepair":false,"spotToSpotConsolidation":false}` | Feature Gate configuration values. Feature Gates will follow the same graduation process and requirements as feature gates in Kubernetes. More information here https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features |
 | settings.featureGates.nodeRepair | bool | `false` | nodeRepair is ALPHA and is disabled by default. Setting this to true will enable node repair. |
 | settings.featureGates.spotToSpotConsolidation | bool | `false` | spotToSpotConsolidation is ALPHA and is disabled by default. Setting this to true will enable spot replacement consolidation for both single and multi-node consolidation. |
diff --git a/charts/karpenter/templates/deployment.yaml b/charts/karpenter/templates/deployment.yaml
@@ -62,16 +62,29 @@ spec:
       containers:
         - name: {{ .Values.controller.containerName | default "controller" }}
           securityContext:
+            privileged: false
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
             runAsUser: 65532
             runAsGroup: 65532
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-            allowPrivilegeEscalation: false
             capabilities:
               drop:
                 - ALL
-            readOnlyRootFilesystem: true
+          {{- with .Values.controller.securityContext }}
+          {{- with .appArmorProfile }}
+            appArmorProfile:
+              {{- toYaml . | nindent 14}}
+          {{- end }}
+          {{- with .seLinuxOptions }}
+            seLinuxOptions:
+              {{- toYaml . | nindent 14}}
+          {{- end }}
+          {{- with .seccompProfile }}
+            seccompProfile:
+              {{- toYaml . | nindent 14}}
+          {{- end }}
+          {{- end }}
           image: {{ include "karpenter.controller.image" . }}
           imagePullPolicy: {{ .Values.imagePullPolicy }}
           env:
diff --git a/charts/karpenter/values.yaml b/charts/karpenter/values.yaml
@@ -51,7 +51,10 @@ podDisruptionBudget:
   maxUnavailable: 1
 # -- SecurityContext for the pod.
 podSecurityContext:
+  runAsNonRoot: true
   fsGroup: 65532
+  seccompProfile:
+    type: RuntimeDefault
 # -- PriorityClass name for the pod.
 priorityClassName: system-cluster-critical
 # -- Override the default termination grace period for the pod.
@@ -111,12 +114,20 @@ controller:
     tag: 1.1.0
     # -- SHA256 digest of the controller image.
     digest: sha256:51bca600197c7c6e6e0838549664b2c12c3f8dd4b23744ab28202ae97ca5aed1
-  # -- Additional environment variables for the controller pod.
+  securityContext:
+    # -- (object) The AppArmor options to use by the controller container.
+    appArmorProfile:
+    # -- (object) The SELinux context to be applied to the controller container.
+    seLinuxOptions:
+    # -- The seccomp options to use by the controller container.
+    seccompProfile:
+      type: RuntimeDefault
+  # -- Additional environment variables for the controller container.
   env: []
   # - name: AWS_REGION
   #   value: eu-west-1
   envFrom: []
-  # -- Resources for the controller pod.
+  # -- Resources for the controller container.
   resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
@@ -128,8 +139,7 @@ controller:
   #  limits:
   #    cpu: 1
   #    memory: 1Gi
-
-  # -- Additional volumeMounts for the controller pod.
+  # -- Additional volumeMounts for the controller container.
   extraVolumeMounts: []
   # - name: aws-iam-token
   #   mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
