diff --git a/.changelog/2909.txt b/.changelog/2909.txt new file mode 100644 index 0000000000..cae7f44d45 --- /dev/null +++ b/.changelog/2909.txt @@ -0,0 +1,3 @@ +```release-note:improvement +helm: Add readOnlyRootFilesystem to the default restricted security context when runnning `consul-k8s` in a restricted namespaces. +``` \ No newline at end of file diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 368d4d2f9a..c3d9c36402 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -19,6 +19,7 @@ as well as the global.name setting. {{- if not .Values.global.enablePodSecurityPolicies -}} securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true capabilities: drop: - ALL diff --git a/charts/consul/templates/ingress-gateways-deployment.yaml b/charts/consul/templates/ingress-gateways-deployment.yaml index 508ab64eff..4c7aa2142c 100644 --- a/charts/consul/templates/ingress-gateways-deployment.yaml +++ b/charts/consul/templates/ingress-gateways-deployment.yaml @@ -160,6 +160,9 @@ spec: terminationGracePeriodSeconds: {{ default $defaults.terminationGracePeriodSeconds .terminationGracePeriodSeconds }} serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} volumes: + - name: tmp + emptyDir: + medium: "Memory" - name: consul-service emptyDir: medium: "Memory" @@ -221,6 +224,8 @@ spec: -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} \ -log-json={{ $root.Values.global.logJSON }} volumeMounts: + - name: tmp + mountPath: /tmp - name: consul-service mountPath: /consul/service {{- if $root.Values.global.tls.enabled }} @@ -245,6 +250,8 @@ spec: resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} {{- end }} volumeMounts: + - name: tmp + mountPath: /tmp - name: consul-service mountPath: /consul/service readOnly: true diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml index 2b25182b96..7e6d5789a9 100644 --- a/charts/consul/templates/server-statefulset.yaml +++ b/charts/consul/templates/server-statefulset.yaml @@ -226,6 +226,8 @@ spec: {{- toYaml .Values.server.securityContext | nindent 8 }} {{- end }} volumes: + - name: tmp + emptyDir: {} - name: config configMap: name: {{ template "consul.fullname" . }}-server-config @@ -562,6 +564,9 @@ spec: mountPath: /trusted-cas readOnly: false {{- end }} + - name: tmp + mountPath: /tmp + readOnly: false ports: {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} - name: http diff --git a/charts/consul/templates/terminating-gateways-deployment.yaml b/charts/consul/templates/terminating-gateways-deployment.yaml index 9afe938e56..b4a239308a 100644 --- a/charts/consul/templates/terminating-gateways-deployment.yaml +++ b/charts/consul/templates/terminating-gateways-deployment.yaml @@ -129,6 +129,9 @@ spec: terminationGracePeriodSeconds: 10 serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} volumes: + - name: tmp + emptyDir: + medium: "Memory" - name: consul-service emptyDir: medium: "Memory" @@ -206,6 +209,8 @@ spec: -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} \ -log-json={{ $root.Values.global.logJSON }} volumeMounts: + - name: tmp + mountPath: /tmp - name: consul-service mountPath: /consul/service {{- if $root.Values.global.tls.enabled }} @@ -227,6 +232,8 @@ spec: image: {{ $root.Values.global.imageConsulDataplane | quote }} {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} volumeMounts: + - name: tmp + mountPath: /tmp - name: consul-service mountPath: /consul/service readOnly: true diff --git a/charts/consul/test/unit/server-statefulset.bats b/charts/consul/test/unit/server-statefulset.bats index afe946e7b3..7d55518886 100755 --- a/charts/consul/test/unit/server-statefulset.bats +++ b/charts/consul/test/unit/server-statefulset.bats @@ -1385,6 +1385,7 @@ load _helpers "drop": ["ALL"], "add": ["NET_BIND_SERVICE"] }, + "readOnlyRootFilesystem": true, "runAsNonRoot": true, "seccompProfile": { "type": "RuntimeDefault" @@ -1417,6 +1418,7 @@ load _helpers "drop": ["ALL"], "add": ["NET_BIND_SERVICE"] }, + "readOnlyRootFilesystem": true, "runAsNonRoot": true, "seccompProfile": { "type": "RuntimeDefault"