made securitycontext and other settings generic

Author: yairsappir

.circleci/tests/golden/wiz-outpost-lite/remediation.golden.yaml

@@ -79,6 +79,11 @@ spec:
         app.kubernetes.io/instance: release-test
         wiz.io/runner: "remediation-aws-rds-003"
     spec:
+      securityContext:
+        fsGroup: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
       serviceAccountName: sa-remediation-aws-rds-003
       restartPolicy: Always
       containers:
@@ -169,11 +174,17 @@ spec:
             requests:
               memory: 1024M
           securityContext:
+            allowPrivilegeEscalation: false
             capabilities:
-              add:
-              - SYS_ADMIN
+              drop:
+              - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 1000
+            runAsNonRoot: true
+            runAsUser: 1000
             seLinuxOptions:
-              type: spc_t
+              type: container_t
           volumeMounts:
             - mountPath: /var/wiz
               name: working-dir

wiz-outpost-lite/templates/_helpers.tpl

@@ -86,3 +86,24 @@ container-registry -> outpost-lite-runner-container-registry
 
 {{ $runnerValues | toJson }}
 {{- end }} {{/* define */}}
+
+{{/*
+Get security context for a runner
+*/}}
+{{- define "wiz-outpost-lite.getSecurityContext" -}}
+{{- $runner := .runner }}
+{{- $values := .Values }}
+{{- $baseProfile := "standard" }}
+{{- if hasPrefix "remediation" $runner }}
+  {{- $baseProfile = "secure" }}
+{{- end }}
+{{- $baseSecurityContext := get $values.securityContextProfiles $baseProfile }}
+{{- $runnerSecurityContext := get $values "securityContext" }}
+{{- if $runnerSecurityContext }}
+  {{- $mergedPod := merge $runnerSecurityContext.pod $baseSecurityContext.pod }}
+  {{- $mergedContainer := merge $runnerSecurityContext.container $baseSecurityContext.container }}
+  {{- dict "pod" $mergedPod "container" $mergedContainer | toYaml }}
+{{- else }}
+  {{- $baseSecurityContext | toYaml }}
+{{- end }}
+{{- end }}

wiz-outpost-lite/templates/deployment.yaml

@@ -25,11 +25,10 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      {{- with (fromYaml (include "wiz-outpost-lite.getSecurityContext" .)).pod }}
       securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- if .Values.serviceAccount.create }}
       serviceAccountName: sa-{{ .runner }}
       {{- end }}
@@ -147,18 +146,10 @@ spec:
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          {{- with (fromYaml (include "wiz-outpost-lite.getSecurityContext" .)).container }}
           securityContext:
-            capabilities:
-              drop:
-              - ALL
-            runAsNonRoot: true
-            runAsUser: 1000
-            runAsGroup: 1000
-            allowPrivilegeEscalation: false
-            privileged: false
-            readOnlyRootFilesystem: true
-            seLinuxOptions:
-              type: container_t
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - mountPath: /var/wiz
               name: working-dir

wiz-outpost-lite/values.yaml

@@ -74,7 +74,52 @@ terminationGracePeriodSeconds: 30
 serviceAccount:
     create: false
 
+securityContextProfiles:
+  secure:  # Applied automatically to remediation-* runners
+    pod:
+      runAsNonRoot: true
+      runAsUser: 1000
+      runAsGroup: 1000
+      fsGroup: 1000
+    container:
+      capabilities:
+        drop:
+        - ALL
+      runAsNonRoot: true
+      runAsUser: 1000
+      runAsGroup: 1000
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      seLinuxOptions:
+        type: container_t
+  standard:  # Applied automatically to non-remediation runners
+    container:
+      capabilities:
+        add:
+        - SYS_ADMIN
+      seLinuxOptions:
+        type: spc_t
+
+
 runners:
+  # Example of a remediation runner with custom security settings
+  # remediation-aws-123:
+  #   enabled: false
+  #   securityContext:  # Override specific settings
+  #     container:
+  #       capabilities:
+  #         add: ["SYS_ADMIN"]
+  #       seLinuxOptions:
+  #         type: spc_t
+
+  # # Example of a standard runner (uses standard security profile by default)
+  # container-registry:
+  #   enabled: false
+  #   securityContext:  # Optional overrides
+  #     container:
+  #       readOnlyRootFilesystem: true  # Add additional security
+
   container-registry:
     enabled: false
   vcs-scheduled:
@@ -87,3 +132,4 @@ runners:
       name: outpost-lite-runner-vcs
     concurrency: 4
     terminationGracePeriodSeconds: 300 # 5 minutes
+