feat(chart): Improved default security context #7279
Conversation
✅ Deploy Preview for karpenter-docs-prod canceled.
|
stevehipwell
force-pushed
the
chart-security-context
branch
from
e211a98 to
0e90ebf
Compare
stevehipwell
force-pushed
the
chart-security-context
branch
from
0e90ebf to
dacfc30
Compare
|
@tzneal could you take a look at this please? |
|
This PR has been inactive for 14 days. StaleBot will close this stale PR after 14 more days of inactivity. |
stevehipwell
force-pushed
the
chart-security-context
branch
from
dacfc30 to
5cc1c72
Compare
|
@jonathan-innis @tzneal could someone please take a look at this? |
stevehipwell
force-pushed
the
chart-security-context
branch
from
5cc1c72 to
be44880
Compare
|
@jonathan-innis @tzneal could someone please take a look at this? |
|
I'll take a look at this. |
|
This PR has been inactive for 14 days. StaleBot will close this stale PR after 14 more days of inactivity. |
stevehipwell
force-pushed
the
chart-security-context
branch
from
be44880 to
144aa53
Compare
|
/not-stale |
Signed-off-by: Steve Hipwell <[email protected]>
stevehipwell
force-pushed
the
chart-security-context
branch
from
144aa53 to
e351477
Compare
|
@saurav-agarwalla did you manage to take a look at this? |
|
@stevehipwell apologies for the delay, I started reviewing this but then got side-tracked with the holidays and other things. Planning to get back to it this week. |
| @@ -72,7 +75,7 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.1.1 \ | |||
| | podDisruptionBudget.maxUnavailable | int | `1` | | | |||
| | podDisruptionBudget.name | string | `"karpenter"` | | | |||
| | podLabels | object | `{}` | Additional labels for the pod. | | |||
| | podSecurityContext | object | `{"fsGroup":65532}` | SecurityContext for the pod. | | |||
| | podSecurityContext | object | `{"fsGroup":65532,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | SecurityContext for the pod. | | |||
There was a problem hiding this comment.
Why do we need to change the defaults?
There was a problem hiding this comment.
Some systems need this making explicit for policy purposes.
There was a problem hiding this comment.
Same comment as the other one below. As per the documentation, we're changing the desired behavior by setting these values so I am not sure if we should be setting this for everyone:
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#securitycontext-v1-core
There was a problem hiding this comment.
Karpenter runs as non-root so this can be set with no implications. It is 100% a best practice to set this.
| @@ -90,7 +93,6 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.1.1 \ | |||
| | settings.clusterCABundle | string | `""` | Cluster CA bundle for TLS configuration of provisioned nodes. If not set, this is taken from the controller's TLS configuration for the API server. | | |||
| | settings.clusterEndpoint | string | `""` | Cluster endpoint. If not set, will be discovered during startup (EKS only) | | |||
| | settings.clusterName | string | `""` | Cluster name. | | |||
| | settings.eksControlPlane | bool | `false` | Marking this true means that your cluster is running with an EKS control plane and Karpenter should attempt to discover cluster details from the DescribeCluster API | | |||
There was a problem hiding this comment.
Any reason this is being removed?
There was a problem hiding this comment.
I'm not sure, I guess it might be a merge artifact.
There was a problem hiding this comment.
Can you add it back? I am seeing this in the latest main so I don't think we want to remove it: https://github.com/aws/karpenter-provider-aws/blob/main/charts/karpenter/README.md?plain=1#L93.
There was a problem hiding this comment.
I'll add this back.
| @@ -62,16 +62,29 @@ spec: | |||
| containers: | |||
| - name: {{ .Values.controller.containerName | default "controller" }} | |||
| securityContext: | |||
| privileged: false | |||
There was a problem hiding this comment.
Is this something you wanted to add? If so, should we parameterize it for backwards compatibility like the others?
There was a problem hiding this comment.
There is no need to make this optional as Karpenter doesn't need it. Some systems want it explicitly set for policy purposes.
There was a problem hiding this comment.
From the docs:
privilegedboolean
Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.
So I don't think we can set it without parameterizing it.
There was a problem hiding this comment.
The default is un privileged, we're just making it explicit as some org policies require it to be so. Karpenter will never need this so there is no valid reason to set it otherwise. Helm charts should only offer customisation where required, first party Helm charts even more so.
Pull Request Test Coverage Report for Build 12771160071Warning: This coverage report may be inaccurate.This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.
Details
💛 - Coveralls |
Fixes #N/A
Description
This PR improves the default security context posture and adds support for setting container values which should be user defined.
How was this change tested?
The Helm chart was templated with the new values.
Does this change impact docs?
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.