Security best practices

[jbiers]

Customers consistently request that our container images and charts are abiding by Kubernetes Best Practices. An example being SURE-7910.

Restrict container from acquiring additional privileges (securityContext.allowPrivilegeEscalation)
Mount container's root filesystem as read only (securityContext.readOnlyRootFilesystem)
Container is running as root (either via USER on Dockerfile or securityContext.runAsUser)
For Mapps, the main ask here is ensure that we have options in our charts to enable the required posture. And if possible, that they are enabled by default.

If one of the recommendations above cannot be met, please specify the reason so that we can document and pass that on to customers in future requests.

Reference: SURE-8271

[prachidamle]

@jbiers - reassigning this to Diogo, please can you give him a quick overview on this one.

[jbiers]

@diogoasouza @prachidamle context shared over Slack :)

[diogoasouza]

I have obtained approvals from @mallardduck, so I'm now adding @rancher/rancher-security as reviewers. For context, it doesn't seem that any of the recommendations couldn't be met

[pankajsqe]

Securities best practices for prometheus-federator chart are working if user passes values containerSecurityContext and SecurityContext in values.yaml.
Sharing my observation.

Detail
Rancher : v2.12-head
prometheus-federator:107.1.0+up4.1.0
cluster : RKE2

helm get values prometheus-federator -n cattle-monitoring-system
helmProjectOperator:
  cleanup:
    containerSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - all
      privileged: false
    securityContext:
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - all
    privileged: false
  securityContext:
    readOnlyRootFilesystem: true
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000