Merge pull request #350 from becitsthere/master

Run controller in non-priv mode
neuvector · Jan 6, 2024 · d488ccd · d488ccd
2 parents 1c75e69 + 0e0b6a6
commit d488ccd
Show file tree

Hide file tree

Showing 5 changed files with 230 additions and 23 deletions.
diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml
@@ -1,3 +1,4 @@
+{{- $pre530 := (semverCompare "<5.2.10" .Values.tag) -}}
 {{- if .Values.controller.enabled -}}
 {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
 apiVersion: apps/v1
@@ -96,8 +97,13 @@ spec:
           {{- end }}
           {{- end }}
           {{- end }}
+          {{- if $pre530 }}
           securityContext:
             privileged: true
+          {{- else }}
+          securityContext:
+            runAsUser: 0
+          {{- end }}
           resources:
           {{- if .Values.controller.resources }}
 {{ toYaml .Values.controller.resources | indent 12 }}
@@ -148,12 +154,12 @@ spec:
 {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
+           {{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }}
             - mountPath: /var/neuvector
               name: nv-share
               readOnly: false
-            - mountPath: /var/nv_debug
-              name: nv-debug
-              readOnly: false
+          {{- end }}
+          {{- if $pre530 }}
           {{- if .Values.containerd.enabled }}
             - mountPath: /var/run/containerd/containerd.sock
           {{- else if .Values.k3s.enabled }}
@@ -173,6 +179,7 @@ spec:
             - mountPath: /host/cgroup
               name: cgroup-vol
               readOnly: true
+          {{- end }}
             - mountPath: /etc/config
               name: config-volume
               readOnly: true
@@ -213,6 +220,7 @@ spec:
       terminationGracePeriodSeconds: 300
       restartPolicy: Always
       volumes:
+        {{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }}
         - name: nv-share
         {{- if .Values.controller.pvc.enabled }}
           persistentVolumeClaim:
@@ -222,10 +230,9 @@ spec:
             secretName: {{ .Values.controller.azureFileShare.secretName }}
             shareName: {{ .Values.controller.azureFileShare.shareName }}
             readOnly: false
-        {{- else }}
-          hostPath:
-            path: /var/neuvector
         {{- end }}
+        {{- end }}
+        {{- if $pre530 }}
         - name: runtime-sock
           hostPath:
           {{- if .Values.containerd.enabled }}
@@ -245,6 +252,7 @@ spec:
         - name: cgroup-vol
           hostPath:
             path: /sys/fs/cgroup
+        {{- end }}
         - name: config-volume
           projected:
             sources:
@@ -257,9 +265,6 @@ spec:
               - secret:
                   name: neuvector-secret
                   optional: true
-        - name: nv-debug
-          hostPath:
-            path: /var/nv_debug
       {{- if .Values.autoGenerateCert }}
         - name: cert
           secret:

diff --git a/charts/core/templates/enforcer-daemonset.yaml b/charts/core/templates/enforcer-daemonset.yaml
@@ -1,3 +1,4 @@
+{{- $pre530 := (semverCompare "<5.2.10" .Values.tag) -}}
 {{- if .Values.enforcer.enabled -}}
 {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
 apiVersion: apps/v1
@@ -91,6 +92,7 @@ spec:
 {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
+          {{- if $pre530 }}
           {{- if .Values.containerd.enabled }}
             - mountPath: /var/run/containerd/containerd.sock
           {{- else if .Values.k3s.enabled }}
@@ -110,6 +112,7 @@ spec:
             - mountPath: /host/cgroup
               name: cgroup-vol
               readOnly: true
+          {{- end }}
             - mountPath: /lib/modules
               name: modules-vol
               readOnly: true
@@ -133,6 +136,7 @@ spec:
       terminationGracePeriodSeconds: 1200
       restartPolicy: Always
       volumes:
+      {{- if $pre530 }}
         - name: runtime-sock
           hostPath:
           {{- if .Values.containerd.enabled }}
@@ -152,6 +156,7 @@ spec:
         - name: cgroup-vol
           hostPath:
             path: /sys/fs/cgroup
+      {{- end }}
         - name: modules-vol
           hostPath:
             path: /lib/modules

diff --git a/charts/core/templates/psp.yaml b/charts/core/templates/psp.yaml
@@ -72,9 +72,6 @@ roleRef:
   name: neuvector-binding-psp
 subjects:
 {{- if .Values.leastPrivilege }}
-- kind: ServiceAccount
-  name: controller
-  namespace: {{ .Release.Namespace }}
 - kind: ServiceAccount
   name: enforcer
   namespace: {{ .Release.Namespace }}
@@ -83,4 +80,81 @@ subjects:
   name: {{ .Values.serviceAccount }}
   namespace: {{ .Release.Namespace }}
 {{- end }}
+
+{{- if .Values.leastPrivilege }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: neuvector-binding-psp-controller
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    heritage: Helm
+    release: {{ .Release.Name }}
+spec:
+  privileged: false
+  readOnlyRootFilesystem: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities: null
+  requiredDropCapabilities:
+  - ALL
+  volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - persistentVolumeClaim
+  - azureFile
+  - projected
+  - secret
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: neuvector-binding-psp-controller
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    heritage: Helm
+    release: {{ .Release.Name }}
+rules:
+- apiGroups:
+  - policy
+  - extensions
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - neuvector-binding-psp-controller
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: neuvector-binding-psp-controller
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    heritage: Helm
+    release: {{ .Release.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: neuvector-binding-psp-controller
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+
 {{- end }}
diff --git a/charts/core/templates/rolebinding-least.yaml b/charts/core/templates/rolebinding-least.yaml
@@ -62,15 +62,6 @@ subjects:
 - kind: ServiceAccount
   name: controller
   namespace: {{ .Release.Namespace }}
-- kind: ServiceAccount
-  name: enforcer
-  namespace: {{ .Release.Namespace }}
-- kind: ServiceAccount
-  name: scanner
-  namespace: {{ .Release.Namespace }}
-- kind: ServiceAccount
-  name: registry-adapter
-  namespace: {{ .Release.Namespace }}
 {{- if $oc3 }}
 userNames:
 - system:serviceaccount:{{ .Release.Namespace }}:controller
@@ -94,10 +85,85 @@ roleRef:
   name: system:openshift:scc:privileged
 subjects:
 - kind: ServiceAccount
-  name: controller
+  name: enforcer
   namespace: {{ .Release.Namespace }}
+
+---
+
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+allowedCapabilities: null
+apiVersion: security.openshift.io/v1
+defaultAddCapabilities: null
+fsGroup:
+  type: RunAsAny
+groups: []
+kind: SecurityContextConstraints
+metadata:
+  name: neuvector-scc-controller
+priority: null
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- ALL
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+users: []
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- persistentVolumeClaim
+- azureFile
+- projected
+- secret
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:openshift:scc:neuvector-scc-controller
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: Helm
+rules:
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - neuvector-scc-controller
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: system:openshift:scc:neuvector-scc-controller
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:neuvector-scc-controller
+subjects:
 - kind: ServiceAccount
-  name: enforcer
+  name: controller
   namespace: {{ .Release.Namespace }}
 {{- end }}
 {{- end }}
diff --git a/test/deployment_test.go b/test/deployment_test.go
@@ -30,6 +30,63 @@ func TestControllerDeployment(t *testing.T) {
 	}
 }
 
+func TestControllerDeploymentPre53(t *testing.T) {
+	helmChartPath := "../charts/core"
+
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"tag": "5.2.4",
+		},
+	}
+
+	// Test ingress
+	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/controller-deployment.yaml"})
+	outs := splitYaml(out)
+
+	if len(outs) != 1 {
+		t.Errorf("Resource count is wrong. count=%v\n", len(outs))
+	}
+
+	var dep appsv1.Deployment
+	helm.UnmarshalK8SYaml(t, outs[0], &dep)
+	if dep.Spec.Template.Spec.Containers[0].VolumeMounts[0].Name != "runtime-sock" {
+		t.Errorf("VolumeMounts[0] is wrong, %v\n", dep.Spec.Template.Spec.Containers[0].VolumeMounts[0])
+	}
+	if *dep.Spec.Template.Spec.Containers[0].SecurityContext.Privileged != true {
+		t.Errorf("Privileged is wrong, %v\n", *dep.Spec.Template.Spec.Containers[0].SecurityContext.Privileged)
+	}
+}
+
+func TestControllerDeploymentPost53(t *testing.T) {
+	helmChartPath := "../charts/core"
+
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"tag": "5.3.0",
+		},
+	}
+
+	// Test ingress
+	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/controller-deployment.yaml"})
+	outs := splitYaml(out)
+
+	if len(outs) != 1 {
+		t.Errorf("Resource count is wrong. count=%v\n", len(outs))
+	}
+
+	var dep appsv1.Deployment
+	helm.UnmarshalK8SYaml(t, outs[0], &dep)
+	if dep.Spec.Template.Spec.Containers[0].VolumeMounts[0].Name != "config-volume" {
+		t.Errorf("VolumeMounts[0] is wrong, %v\n", dep.Spec.Template.Spec.Containers[0].VolumeMounts[0])
+	}
+	if dep.Spec.Template.Spec.Containers[0].SecurityContext.Privileged != nil {
+		t.Errorf("SecurityContext.Privileged should be nil\n")
+	}
+	if *dep.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser != 0 {
+		t.Errorf("SecurityContext.RunAsUser should be 0\n")
+	}
+}
+
 func TestControllerDeploymentRegistry(t *testing.T) {
 	helmChartPath := "../charts/core"