feat(chart): Improved default security context #7279
Conversation
✅ Deploy Preview for karpenter-docs-prod canceled.
|
stevehipwell
force-pushed
the
chart-security-context
branch
from
e211a98 to
0e90ebf
Compare
stevehipwell
force-pushed
the
chart-security-context
branch
from
0e90ebf to
dacfc30
Compare
|
@tzneal could you take a look at this please? |
|
This PR has been inactive for 14 days. StaleBot will close this stale PR after 14 more days of inactivity. |
stevehipwell
force-pushed
the
chart-security-context
branch
from
dacfc30 to
5cc1c72
Compare
|
@jonathan-innis @tzneal could someone please take a look at this? |
stevehipwell
force-pushed
the
chart-security-context
branch
from
5cc1c72 to
be44880
Compare
|
@jonathan-innis @tzneal could someone please take a look at this? |
|
I'll take a look at this. |
|
This PR has been inactive for 14 days. StaleBot will close this stale PR after 14 more days of inactivity. |
stevehipwell
force-pushed
the
chart-security-context
branch
from
be44880 to
144aa53
Compare
|
/not-stale |
stevehipwell
force-pushed
the
chart-security-context
branch
from
144aa53 to
e351477
Compare
|
@saurav-agarwalla did you manage to take a look at this? |
|
@stevehipwell apologies for the delay, I started reviewing this but then got side-tracked with the holidays and other things. Planning to get back to it this week. |
charts/karpenter/README.md
Outdated
| @@ -72,7 +75,7 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.1.1 \ | |||
| | podDisruptionBudget.maxUnavailable | int | `1` | | | |||
| | podDisruptionBudget.name | string | `"karpenter"` | | | |||
| | podLabels | object | `{}` | Additional labels for the pod. | | |||
| | podSecurityContext | object | `{"fsGroup":65532}` | SecurityContext for the pod. | | |||
| | podSecurityContext | object | `{"fsGroup":65532,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | SecurityContext for the pod. | | |||
There was a problem hiding this comment.
Why do we need to change the defaults?
There was a problem hiding this comment.
Some systems need this making explicit for policy purposes.
There was a problem hiding this comment.
Same comment as the other one below. As per the documentation, we're changing the desired behavior by setting these values so I am not sure if we should be setting this for everyone:
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#securitycontext-v1-core
There was a problem hiding this comment.
Karpenter runs as non-root so this can be set with no implications. It is 100% a best practice to set this.
There was a problem hiding this comment.
@stevehipwell My question was more around if/why this needs to be a breaking change (although I don't disagree that this is a best practice).
There was a problem hiding this comment.
It's not a breaking change, Karpenter already runs as non-root!
charts/karpenter/README.md
Outdated
| @@ -90,7 +93,6 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.1.1 \ | |||
| | settings.clusterCABundle | string | `""` | Cluster CA bundle for TLS configuration of provisioned nodes. If not set, this is taken from the controller's TLS configuration for the API server. | | |||
| | settings.clusterEndpoint | string | `""` | Cluster endpoint. If not set, will be discovered during startup (EKS only) | | |||
| | settings.clusterName | string | `""` | Cluster name. | | |||
| | settings.eksControlPlane | bool | `false` | Marking this true means that your cluster is running with an EKS control plane and Karpenter should attempt to discover cluster details from the DescribeCluster API | | |||
There was a problem hiding this comment.
Any reason this is being removed?
There was a problem hiding this comment.
I'm not sure, I guess it might be a merge artifact.
There was a problem hiding this comment.
Can you add it back? I am seeing this in the latest main so I don't think we want to remove it: https://github.com/aws/karpenter-provider-aws/blob/main/charts/karpenter/README.md?plain=1#L93.
There was a problem hiding this comment.
I'll add this back.
There was a problem hiding this comment.
So it turns out I didn't remove anything; whoever added this didn't configure the helm-docs comment correctly and then manually updated the README to work around it. When I ran helm-docs for this PR it was removed.
| @@ -62,16 +62,29 @@ spec: | |||
| containers: | |||
| - name: {{ .Values.controller.containerName | default "controller" }} | |||
| securityContext: | |||
| privileged: false | |||
There was a problem hiding this comment.
Is this something you wanted to add? If so, should we parameterize it for backwards compatibility like the others?
There was a problem hiding this comment.
There is no need to make this optional as Karpenter doesn't need it. Some systems want it explicitly set for policy purposes.
There was a problem hiding this comment.
From the docs:
privilegedboolean
Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.
So I don't think we can set it without parameterizing it.
There was a problem hiding this comment.
The default is un privileged, we're just making it explicit as some org policies require it to be so. Karpenter will never need this so there is no valid reason to set it otherwise. Helm charts should only offer customisation where required, first party Helm charts even more so.
There was a problem hiding this comment.
The default is un privileged, we're just making it explicit as some org policies require it to be so.
But setting it will break windows like I linked above. So why not offer it as a parameter for anyone who wants to set it?
There was a problem hiding this comment.
@saurav-agarwalla Karpenter is linux only!
Pull Request Test Coverage Report for Build 12771160071Warning: This coverage report may be inaccurate.This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.
Details
💛 - Coveralls |
stevehipwell
force-pushed
the
chart-security-context
branch
4 times, most recently
from
a81a0d6 to
35471b8
Compare
|
@saurav-agarwalla I think there is some confusion over what a first party Helm chart should be. A first party Helm chart should be opinionated and follow both industry and project best practices. As it owns the constraints it doesn't need to open everything up for customization. Karpenter's constraints are that it runs on Linux, as a non-root user, and doesn't need any additional OS permissions; therefore there is no valid reason to allow an end-user to lower this security posture. |
charts/karpenter/values.yaml
Outdated
| @@ -51,7 +51,10 @@ podDisruptionBudget: | |||
| maxUnavailable: 1 | |||
| # -- SecurityContext for the pod. | |||
| podSecurityContext: | |||
| runAsNonRoot: true | |||
There was a problem hiding this comment.
Can we do this? I think we explicitly avoided doing this since it would change the security context of sidecar containers that may not support the more locked-down configuration
There was a problem hiding this comment.
This sets the default which can then be overridden by the consumer. Karpenter would be a high value target and this makes it really clear when adding a sidecar that running as root impacts the whole pod and not just the container.
There was a problem hiding this comment.
We did this and then pulled it back because multiple people ran into issues with it -- I'm fine having a more open discussion on this in something like a working group but I'm against breaking users in this way after the number of issues that were opened when we first tried to make this change (see #4681)
There was a problem hiding this comment.
I'm pretty weary of this, too since this is a breaking change to the chart post-v1 and I believe that folks will miss this during the upgrade process
There was a problem hiding this comment.
@jonathan-innis let's take this to a separate discussion, I'll change this to false for the PR.
That said I am very interested why it was reversed in the first place? It significantly increases the attack surface for all users, but off the top of my head I can't think of many valid uses for root sidecars? Furthermore anyone using sidecars as root should have the K8s contextual knowledge to be proactively checking the pod security spec of the targets.
|
Hey @stevehipwell -- sorry that we've been slow on this -- I just took a look, most of the changes look reasonable -- just a few questions about potential breaking changes and why you need certain levels of customization |
stevehipwell
force-pushed
the
chart-security-context
branch
from
35471b8 to
934ae1b
Compare
|
@jonathan-innis I've replied to your comments and rebased. |
stevehipwell
force-pushed
the
chart-security-context
branch
2 times, most recently
from
b66b744 to
86b5dd8
Compare
|
@jonathan-innis I've reverted the pod non-root default. |
Signed-off-by: Steve Hipwell <[email protected]>
stevehipwell
force-pushed
the
chart-security-context
branch
from
86b5dd8 to
6d4e9fa
Compare
|
@jonathan-innis I've rebased this PR again and it'd be great to get it merged. |
Fixes #N/A
Description
This PR improves the default security context posture and adds support for setting container values which should be user defined.
How was this change tested?
The Helm chart was templated with the new values.
Does this change impact docs?
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.