diff --git a/CHANGELOG.md b/CHANGELOG.md index f19365ac..eea5157c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,14 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s ## [Unreleased] +### Changed + +- Make App compliant with PSS policies ([#234](https://github.com/giantswarm/coredns-app/pull/234)): + - Set seccompProfile to `RuntimeDefault`. + - Fix capabilities typo. + - Remove `NET_BIND_SERVICE` capabilities. + - Set `runAsNonRoot` as true. + ## [1.18.1] - 2023-08-30 ### Fixed diff --git a/helm/coredns-app/templates/deployment-masters.yaml b/helm/coredns-app/templates/deployment-masters.yaml index 84ce168a..3dd9c929 100644 --- a/helm/coredns-app/templates/deployment-masters.yaml +++ b/helm/coredns-app/templates/deployment-masters.yaml @@ -32,6 +32,9 @@ spec: securityContext: runAsUser: {{ .Values.userID }} runAsGroup: {{ .Values.groupID }} + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault tolerations: - effect: NoSchedule operator: "Exists" @@ -70,10 +73,8 @@ spec: securityContext: allowPrivilegeEscalation: false capabilities: - add: - - NET_BIND_SERVICE drop: - - all + - ALL readOnlyRootFilesystem: true volumeMounts: - name: config-volume diff --git a/helm/coredns-app/templates/deployment-workers.yaml b/helm/coredns-app/templates/deployment-workers.yaml index 884d7de3..7e5322bd 100644 --- a/helm/coredns-app/templates/deployment-workers.yaml +++ b/helm/coredns-app/templates/deployment-workers.yaml @@ -31,6 +31,9 @@ spec: securityContext: runAsUser: {{ .Values.userID }} runAsGroup: {{ .Values.groupID }} + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault tolerations: - operator: "Exists" key: "node.cloudprovider.kubernetes.io/uninitialized" @@ -54,10 +57,8 @@ spec: securityContext: allowPrivilegeEscalation: false capabilities: - add: - - NET_BIND_SERVICE drop: - - all + - ALL readOnlyRootFilesystem: true volumeMounts: - name: config-volume diff --git a/helm/coredns-app/templates/psp.yaml b/helm/coredns-app/templates/psp.yaml index 59f6d984..9c298772 100644 --- a/helm/coredns-app/templates/psp.yaml +++ b/helm/coredns-app/templates/psp.yaml @@ -1,9 +1,11 @@ -{{- if le (int .Capabilities.KubeVersion.Minor) 24 }} +{{- if and (le (int .Capabilities.KubeVersion.Minor) 24) (not .Values.global.podSecurityStandards.enforced) }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ .Values.name }} namespace: {{ .Values.namespace }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' labels: {{- include "labels.common" . | nindent 4 }} spec: diff --git a/helm/coredns-app/values.schema.json b/helm/coredns-app/values.schema.json index a023f7c2..b607302c 100644 --- a/helm/coredns-app/values.schema.json +++ b/helm/coredns-app/values.schema.json @@ -53,6 +53,19 @@ } } }, + "global": { + "type": "object", + "properties": { + "podSecurityStandards": { + "type": "object", + "properties": { + "enforced": { + "type": "boolean" + } + } + } + } + }, "groupID": { "type": "integer" }, diff --git a/helm/coredns-app/values.yaml b/helm/coredns-app/values.yaml index c6f19b76..9dd43d69 100644 --- a/helm/coredns-app/values.yaml +++ b/helm/coredns-app/values.yaml @@ -82,6 +82,11 @@ mastersInstance: nodeSelector: "node-role.kubernetes.io/control-plane": '""' + +global: + podSecurityStandards: + enforced: false + # Uncomment and define `additionalLocalZones` to add additional local zones to CoreDNS config # additionalLocalZones: []