Skip to content

Commit e495389

Browse files
yairsappiryairsappir
authored
Outpostlite remediation security changes (#573)
* Added service accounts for the remediation runners Added some security measures * made securitycontext and other settings generic * added helper for identifying remediation runners * added test case for security context * fixed based on cr * service account for remediation * * added app armor config * moved security context config to helpers * added tests
1 parent 9c4ffc8 commit e495389

File tree

11 files changed

+1462
-30
lines changed

11 files changed

+1462
-30
lines changed

.circleci/tests/golden/wiz-outpost-lite/multiple-runners-security-context.golden.yaml

Lines changed: 707 additions & 0 deletions
Large diffs are not rendered by default.

.circleci/tests/golden/wiz-outpost-lite/remediation-special-security-context.golden.yaml

Lines changed: 196 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,196 @@
1+
---
2+
# Source: wiz-outpost-lite/templates/serviceaccount.yaml
3+
apiVersion: v1
4+
kind: ServiceAccount
5+
metadata:
6+
name: sa-remediation-aws-rds-003
7+
namespace: release-helm-namespace
8+
labels:
9+
helm.sh/chart: "GOLDEN_STATIC_VALUE"
10+
app.kubernetes.io/name: wiz-outpost-lite
11+
app.kubernetes.io/instance: release-test
12+
wiz.io/runner: "remediation-aws-rds-003"
13+
app.kubernetes.io/version: "0.1.0"
14+
app.kubernetes.io/managed-by: Helm
15+
---
16+
# Source: wiz-outpost-lite/templates/credentials.secret.yaml
17+
apiVersion: v1
18+
kind: Secret
19+
metadata:
20+
name: outpost-lite-agent-creds
21+
labels:
22+
helm.sh/chart: "GOLDEN_STATIC_VALUE"
23+
app.kubernetes.io/name: wiz-outpost-lite
24+
app.kubernetes.io/instance: release-test
25+
app.kubernetes.io/version: "0.1.0"
26+
app.kubernetes.io/managed-by: Helm
27+
stringData:
28+
clientId: "client-1"
29+
clientSecret: "secret-2"
30+
---
31+
# Source: wiz-outpost-lite/templates/service.yaml
32+
apiVersion: v1
33+
kind: Service
34+
metadata:
35+
name: release-test-wiz-outpost-lite-remediation-aws-rds-003
36+
labels:
37+
helm.sh/chart: "GOLDEN_STATIC_VALUE"
38+
app.kubernetes.io/name: wiz-outpost-lite
39+
app.kubernetes.io/instance: release-test
40+
wiz.io/runner: "remediation-aws-rds-003"
41+
app.kubernetes.io/version: "0.1.0"
42+
app.kubernetes.io/managed-by: Helm
43+
spec:
44+
type: ClusterIP
45+
ports:
46+
- port: 9090
47+
targetPort: metrics
48+
protocol: TCP
49+
name: metrics
50+
selector:
51+
app.kubernetes.io/name: wiz-outpost-lite
52+
app.kubernetes.io/instance: release-test
53+
wiz.io/runner: "remediation-aws-rds-003"
54+
---
55+
# Source: wiz-outpost-lite/templates/deployment.yaml
56+
apiVersion: apps/v1
57+
kind: Deployment
58+
metadata:
59+
name: release-test-wiz-outpost-lite-remediation-aws-rds-003
60+
labels:
61+
helm.sh/chart: "GOLDEN_STATIC_VALUE"
62+
app.kubernetes.io/name: wiz-outpost-lite
63+
app.kubernetes.io/instance: release-test
64+
wiz.io/runner: "remediation-aws-rds-003"
65+
app.kubernetes.io/version: "0.1.0"
66+
app.kubernetes.io/managed-by: Helm
67+
spec:
68+
replicas: 1
69+
selector:
70+
matchLabels:
71+
app.kubernetes.io/name: wiz-outpost-lite
72+
app.kubernetes.io/instance: release-test
73+
wiz.io/runner: "remediation-aws-rds-003"
74+
template:
75+
metadata:
76+
labels:
77+
app.kubernetes.io/name: wiz-outpost-lite
78+
app.kubernetes.io/instance: release-test
79+
wiz.io/runner: "remediation-aws-rds-003"
80+
spec:
81+
serviceAccountName: sa-remediation-aws-rds-003
82+
securityContext:
83+
fsGroup: 1000
84+
runAsGroup: 1000
85+
runAsNonRoot: false
86+
runAsUser: 1000
87+
restartPolicy: Always
88+
containers:
89+
- name: wiz-outpost-lite-remediation-aws-rds-003
90+
image: "wizio.azurecr.io/outpost-lite-runner-remediation:0.1-latest"
91+
command: [ "/entrypoint"]
92+
imagePullPolicy: Always
93+
env:
94+
- name: NODE_NAME
95+
valueFrom:
96+
fieldRef:
97+
fieldPath: spec.nodeName
98+
- name: K8S_NAMESPACE
99+
valueFrom:
100+
fieldRef:
101+
fieldPath: metadata.namespace
102+
- name: K8S_POD_NAME
103+
valueFrom:
104+
fieldRef:
105+
fieldPath: metadata.name
106+
- name: OUTPOST
107+
value: "1"
108+
- name: WIZ_OUTPOST_ID
109+
value: "my-outpost-id"
110+
- name: WIZ_OUTPOST_RUNNER_ID
111+
value: "remediation-aws-rds-003"
112+
- name: WIZ_CLIENT_ID
113+
valueFrom:
114+
secretKeyRef:
115+
name: outpost-lite-agent-creds
116+
key: clientId
117+
- name: WIZ_CLIENT_SECRET
118+
valueFrom:
119+
secretKeyRef:
120+
name: outpost-lite-agent-creds
121+
key: clientSecret
122+
- name: OUTPOST_LITE_RUNNER_REGION
123+
value: "partition-1"
124+
- name: OUTPOST_LITE_RUNNER_METRICS_PORT
125+
value: "9090"
126+
- name: OUTPOST_LITE_RUNNER_AUTO_UPDATE
127+
value: "1"
128+
- name: http_proxy
129+
valueFrom:
130+
secretKeyRef:
131+
name: "wiz-http-proxy-configuration"
132+
key: "httpProxy"
133+
optional: true
134+
- name: HTTP_PROXY
135+
valueFrom:
136+
secretKeyRef:
137+
name: "wiz-http-proxy-configuration"
138+
key: "httpProxy"
139+
optional: true
140+
- name: https_proxy
141+
valueFrom:
142+
secretKeyRef:
143+
name: "wiz-http-proxy-configuration"
144+
key: "httpsProxy"
145+
optional: true
146+
- name: HTTPS_PROXY
147+
valueFrom:
148+
secretKeyRef:
149+
name: "wiz-http-proxy-configuration"
150+
key: "httpsProxy"
151+
optional: true
152+
- name: no_proxy
153+
valueFrom:
154+
secretKeyRef:
155+
name: "wiz-http-proxy-configuration"
156+
key: "noProxyAddress"
157+
optional: true
158+
- name: NO_PROXY
159+
valueFrom:
160+
secretKeyRef:
161+
name: "wiz-http-proxy-configuration"
162+
key: "noProxyAddress"
163+
optional: true
164+
- name: SSL_CERT_DIR
165+
value: "/usr/local/share/ca-certificates/:/certificates/"
166+
ports:
167+
- name: metrics
168+
containerPort: 9090
169+
protocol: TCP
170+
resources:
171+
limits:
172+
memory: 4396M
173+
requests:
174+
memory: 1024M
175+
securityContext:
176+
capabilities:
177+
add:
178+
- SYS_ADMIN
179+
volumeMounts:
180+
- mountPath: /var/wiz
181+
name: working-dir
182+
- mountPath: /usr/local/share/ca-certificates/
183+
name: ca-certificate
184+
readOnly: true
185+
terminationGracePeriodSeconds: 30
186+
volumes:
187+
- name: working-dir
188+
emptyDir: {}
189+
- name: ca-certificate
190+
secret:
191+
defaultMode: 420
192+
secretName: "wiz-http-proxy-configuration"
193+
items:
194+
- key: caCertificate
195+
path: root.crt
196+
optional: true

.circleci/tests/golden/wiz-outpost-lite/remediation.golden.yaml

Lines changed: 14 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -73,14 +73,17 @@ spec:
7373
wiz.io/runner: "remediation-aws-rds-003"
7474
template:
7575
metadata:
76-
annotations:
77-
container.apparmor.security.beta.kubernetes.io/wiz-outpost-lite-remediation-aws-rds-003: unconfined
7876
labels:
7977
app.kubernetes.io/name: wiz-outpost-lite
8078
app.kubernetes.io/instance: release-test
8179
wiz.io/runner: "remediation-aws-rds-003"
8280
spec:
8381
serviceAccountName: sa-remediation-aws-rds-003
82+
securityContext:
83+
fsGroup: 1000
84+
runAsGroup: 1000
85+
runAsNonRoot: true
86+
runAsUser: 1000
8487
restartPolicy: Always
8588
containers:
8689
- name: wiz-outpost-lite-remediation-aws-rds-003
@@ -170,11 +173,17 @@ spec:
170173
requests:
171174
memory: 1024M
172175
securityContext:
176+
allowPrivilegeEscalation: false
173177
capabilities:
174-
add:
175-
- SYS_ADMIN
178+
drop:
179+
- ALL
180+
privileged: false
181+
readOnlyRootFilesystem: true
182+
runAsGroup: 1000
183+
runAsNonRoot: true
184+
runAsUser: 1000
176185
seLinuxOptions:
177-
type: spc_t
186+
type: container_t
178187
volumeMounts:
179188
- mountPath: /var/wiz
180189
name: working-dir

0 commit comments

Comments
 (0)