Skip to content

Commit

Permalink
feat(chart): Improved default security context
Browse files Browse the repository at this point in the history
Signed-off-by: Steve Hipwell <[email protected]>
  • Loading branch information
stevehipwell committed Nov 18, 2024
1 parent 317f551 commit dacfc30
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 13 deletions.
12 changes: 8 additions & 4 deletions charts/karpenter/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,15 +44,18 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.0.0 \
| additionalClusterRoleRules | list | `[]` | Specifies additional rules for the core ClusterRole. |
| additionalLabels | object | `{}` | Additional labels to add into metadata. |
| affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"karpenter.sh/nodepool","operator":"DoesNotExist"}]}]}},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity rules for scheduling the pod. If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels. |
| controller.env | list | `[]` | Additional environment variables for the controller pod. |
| controller.env | list | `[]` | Additional environment variables for the controller container. |
| controller.envFrom | list | `[]` | |
| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts for the controller pod. |
| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts for the controller container. |
| controller.healthProbe.port | int | `8081` | The container port to use for http health probe. |
| controller.image.digest | string | `"sha256:1eb1073b9f4ed804634aabf320e4d6e822bb61c0f5ecfd9c3a88f05f1ca4c5c5"` | SHA256 digest of the controller image. |
| controller.image.repository | string | `"public.ecr.aws/karpenter/controller"` | Repository path to the controller image. |
| controller.image.tag | string | `"1.0.0"` | Tag of the controller image. |
| controller.metrics.port | int | `8080` | The container port to use for metrics. |
| controller.resources | object | `{}` | Resources for the controller pod. |
| controller.resources | object | `{}` | Resources for the controller container. |
| controller.securityContext.appArmorProfile | object | `nil` | The AppArmor options to use by the controller container. |
| controller.securityContext.seLinuxOptions | object | `nil` | The SELinux context to be applied to the controller container. |
| controller.securityContext.seccompProfile | object | `{"type":"RuntimeDefault"}` | The seccomp options to use by the controller container. |
| controller.sidecarContainer | list | `[]` | Additional sidecarContainer config |
| controller.sidecarVolumeMounts | list | `[]` | Additional volumeMounts for the sidecar - this will be added to the volume mounts on top of extraVolumeMounts |
| dnsConfig | object | `{}` | Configure DNS Config for the pod |
Expand All @@ -71,10 +74,11 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.0.0 \
| podDisruptionBudget.maxUnavailable | int | `1` | |
| podDisruptionBudget.name | string | `"karpenter"` | |
| podLabels | object | `{}` | Additional labels for the pod. |
| podSecurityContext | object | `{"fsGroup":65532}` | SecurityContext for the pod. |
| podSecurityContext | object | `{"fsGroup":65532,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | SecurityContext for the pod. |
| priorityClassName | string | `"system-cluster-critical"` | PriorityClass name for the pod. |
| replicas | int | `2` | Number of replicas. |
| revisionHistoryLimit | int | `10` | The number of old ReplicaSets to retain to allow rollback. |
| service.annotations | object | `{}` | Additional annotations for the Service. |
| serviceAccount.annotations | object | `{}` | Additional annotations for the ServiceAccount. |
| serviceAccount.create | bool | `true` | Specifies if a ServiceAccount should be created. |
| serviceAccount.name | string | `""` | The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. |
Expand Down
23 changes: 18 additions & 5 deletions charts/karpenter/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -59,16 +59,29 @@ spec:
containers:
- name: controller
securityContext:
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
{{- with .Values.controller.securityContext }}
{{- with .appArmorProfile }}
appArmorProfile:
{{- toYaml . | nindent 14}}
{{- end }}
{{- with .seLinuxOptions }}
seLinuxOptions:
{{- toYaml . | nindent 14}}
{{- end }}
{{- with .seccompProfile }}
seccompProfile:
{{- toYaml . | nindent 14}}
{{- end }}
{{- end }}
image: {{ include "karpenter.controller.image" . }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
env:
Expand Down
18 changes: 14 additions & 4 deletions charts/karpenter/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,10 @@ podDisruptionBudget:
maxUnavailable: 1
# -- SecurityContext for the pod.
podSecurityContext:
runAsNonRoot: true
fsGroup: 65532
seccompProfile:
type: RuntimeDefault
# -- PriorityClass name for the pod.
priorityClassName: system-cluster-critical
# -- Override the default termination grace period for the pod.
Expand Down Expand Up @@ -107,12 +110,20 @@ controller:
tag: 1.0.0
# -- SHA256 digest of the controller image.
digest: sha256:1eb1073b9f4ed804634aabf320e4d6e822bb61c0f5ecfd9c3a88f05f1ca4c5c5
# -- Additional environment variables for the controller pod.
securityContext:
# -- (object) The AppArmor options to use by the controller container.
appArmorProfile:
# -- (object) The SELinux context to be applied to the controller container.
seLinuxOptions:
# -- The seccomp options to use by the controller container.
seccompProfile:
type: RuntimeDefault
# -- Additional environment variables for the controller container.
env: []
# - name: AWS_REGION
# value: eu-west-1
envFrom: []
# -- Resources for the controller pod.
# -- Resources for the controller container.
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
Expand All @@ -124,8 +135,7 @@ controller:
# limits:
# cpu: 1
# memory: 1Gi

# -- Additional volumeMounts for the controller pod.
# -- Additional volumeMounts for the controller container.
extraVolumeMounts: []
# - name: aws-iam-token
# mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
Expand Down

0 comments on commit dacfc30

Please sign in to comment.