Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add seccompProfile field in securityContext instead of annotation #118

Merged
merged 1 commit into from
Jul 22, 2022
Merged

Add seccompProfile field in securityContext instead of annotation #118

merged 1 commit into from
Jul 22, 2022

Conversation

kota2and3kan
Copy link
Collaborator

This PR adds securityContext.seccompProfile in each chart.

In Scalar DB and Envoy chart, they are using annotation seccomp.security.alpha.kubernetes.io/pod for setting seccomp configuration.
However, this annotation is deprecated and it will be not-functional in next Kubernetes release as follows.

  • Message when I deploy current chart 
    Warning: spec.template.metadata.annotations[seccomp.security.alpha.kubernetes.io/pod]: deprecated since v1.19, non-functional in v1.25+; use the "seccompProfile" field instead

So, I removed deprecated annotation and added securityContext.seccompProfile for setting the same seccomp configuration.

In Scalar DL (Ledger and Auditor) chart, there is no configuration related to the seccomp now.
So, I just added securityContext.seccompProfile for setting seccomp configuration to make them more secure.

Please take a look!

@kota2and3kan kota2and3kan requested a review from feeblefakie July 20, 2022 06:13
@kota2and3kan kota2and3kan self-assigned this Jul 20, 2022
@kota2and3kan kota2and3kan removed the request for review from feeblefakie July 20, 2022 06:18
@kota2and3kan
Copy link
Collaborator Author

The kubeaudit-chart of CI failed.
So, I will investigate the cause of failure.

@kota2and3kan
Copy link
Collaborator Author

CI was failed as follows.
https://github.com/scalar-labs/helm-charts/runs/7423505134?check_suite_focus=true

And, I was able to reproduce the error in my local environment. The error is the following.

$ kubeaudit all -k .github/kube-audit.yaml -f <(helm template --generate-name "charts/scalardb") -m error

---------------- Results for ---------------

  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: RELEASE-NAME-scalardb
    namespace: default

--------------------------------------------

-- [error] SeccompAnnotationMissing
   Message: Seccomp annotation is missing. The annotation seccomp.security.alpha.kubernetes.io/pod: runtime/default should be added.
   Metadata:
      MissingAnnotation: seccomp.security.alpha.kubernetes.io/pod

The kubeaudit detects missing annotation seccomp.security.alpha.kubernetes.io/pod.
However, this annotation is deprecated now.
And, I added securityContext.seccompProfile instead of this annotation in this PR to set the same security configuration.
So, this error is expected.

And, I checked after disabling seccomp checking as follows.

$ diff -u .github/kube-audit.yaml .github/kube-audit-disable-seccomp.yaml
--- .github/kube-audit.yaml     2022-07-20 15:31:05.908539923 +0900
+++ .github/kube-audit-disable-seccomp.yaml     2022-07-20 15:31:41.838540413 +0900
@@ -11,7 +11,7 @@
   privesc: true
   privileged: true
   rootfs: false
-  seccomp: true
+  seccomp: false
 auditors:
   capabilities:
     allowAddList: ['NET_BIND_SERVICE']

As a result, there is no issue as follows.

$ kubeaudit all -k .github/kube-audit-disable-seccomp.yaml -f <(helm template --generate-name "charts/scalardb") -m error
All checks completed. 0 high-risk vulnerabilities found

Also, in the kubeaudit repository, this is a known issue and it is no fixed yet.
Shopify/kubeaudit#343

So, we can ignore this CI error.
And, I think we can disable seccomp checking of kubeaudit since we already added the securityContext.seccompProfile.
After fixing the above kubeaudit issue, we can enable seccomp checking again.
I will update the CI (.github/kube-audit.yaml) in the another PR.

@kota2and3kan kota2and3kan requested a review from feeblefakie July 20, 2022 06:48
@kota2and3kan kota2and3kan mentioned this pull request Jul 20, 2022
Merged
@kota2and3kan
Copy link
Collaborator Author

I updated the CI (.github/kube-audit.yaml) in the following PR.
#119

@kota2and3kan kota2and3kan mentioned this pull request Jul 20, 2022
Merged
feeblefakie
feeblefakie approved these changes Jul 22, 2022
View reviewed changes
Copy link
Contributor

@feeblefakie feeblefakie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thank you!

@feeblefakie feeblefakie merged commit aa6fab9 into main Jul 22, 2022
@feeblefakie feeblefakie deleted the add-seccomp-profile branch July 22, 2022 07:49
kota2and3kan added a commit that referenced this pull request Aug 4, 2022
@kota2and3kan
Add seccompProfile field in securityContext instead of annotation (
6a5ee36 
…#118)
kota2and3kan added a commit that referenced this pull request Aug 4, 2022
@kota2and3kan
Add seccompProfile field in securityContext instead of annotation (
0bc7d90 
…#118)
kota2and3kan added a commit that referenced this pull request Aug 4, 2022
@kota2and3kan
Add seccompProfile field in securityContext instead of annotation (
6359233 
…#118)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@feeblefakie feeblefakie feeblefakie approved these changes

Assignees

@kota2and3kan kota2and3kan

Labels
improvement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kota2and3kan @feeblefakie