Merge pull request #121 from abnamro/2389377-fix-critical-findings-from-kubeaudit

amrityamrout · web-flow · commit 4d8517f981bd · 2023-06-27T15:35:07.000+02:00
2389377 fix critical findings from kube-audit and datree scan
diff --git a/components/resc-backend/Dockerfile b/components/resc-backend/Dockerfile
@@ -4,6 +4,9 @@ ARG NAME="resc_backend"
 ARG DESCRIPTION="Repository Scanner Backend"
 ARG VERSION=${VERSION}
 ARG RUN_AS_USER="apiuser"
+ARG RUN_AS_GROUP="apiuser"
+ARG UID=10001
+ARG GID=10002
 
 RUN apk -U upgrade \
 && apk add --no-cache curl git nginx build-base linux-headers \
@@ -24,8 +27,9 @@ RUN mkdir /resc_backend
 
 COPY ./ /resc_backend
 
-RUN addgroup -S $RUN_AS_USER && adduser -S $RUN_AS_USER -g "$RUN_AS_USER" \
-&& chown -R $RUN_AS_USER:$RUN_AS_USER ./resc_backend
+RUN addgroup -g $GID $RUN_AS_GROUP \
+&& adduser -D -u $UID -G $RUN_AS_GROUP $RUN_AS_USER \
+&& chown -R $RUN_AS_USER:$RUN_AS_GROUP ./resc_backend
 
 USER $RUN_AS_USER
 ENV PATH=$PATH:/home/apiuser/.local/bin
diff --git a/components/resc-vcs-scanner/Dockerfile b/components/resc-vcs-scanner/Dockerfile
@@ -4,6 +4,9 @@ ARG NAME="resc-vcs-scanner"
 ARG DESCRIPTION="RESC Version Control System Scanner"
 ARG VERSION=${VERSION}
 ARG RUN_AS_USER="apiuser"
+ARG RUN_AS_GROUP="apiuser"
+ARG UID=10001
+ARG GID=10002
 
 RUN apk -U upgrade \
 && apk add --no-cache git \
@@ -13,12 +16,13 @@ RUN mkdir /resc_backend && mkdir /vcs_scanner
 
 COPY ./resc-backend /resc_backend
 
-RUN addgroup -S $RUN_AS_USER && adduser -S $RUN_AS_USER -g "$RUN_AS_USER" \
-&& chown -R $RUN_AS_USER:$RUN_AS_USER ./resc_backend
+RUN addgroup -g $GID $RUN_AS_GROUP \
+&& adduser -D -u $UID -G $RUN_AS_GROUP $RUN_AS_USER \
+&& chown -R $RUN_AS_USER:$RUN_AS_GROUP ./resc_backend
 
 COPY ./resc-vcs-scanner /vcs_scanner
 
-RUN chown -R $RUN_AS_USER:$RUN_AS_USER ./vcs_scanner \
+RUN chown -R $RUN_AS_USER:$RUN_AS_GROUP ./vcs_scanner \
 && chmod +x ./vcs_scanner/gitleaks_config/seco-gitleaks-linux-amd64
 
 USER $RUN_AS_USER
diff --git a/components/resc-vcs-scraper/Dockerfile b/components/resc-vcs-scraper/Dockerfile
@@ -4,15 +4,19 @@ ARG NAME="resc-vcs-scraper"
 ARG DESCRIPTION="Version Control Systems Scraper"
 ARG VERSION=${VERSION}
 ARG RUN_AS_USER="apiuser"
+ARG RUN_AS_GROUP="apiuser"
+ARG UID=10001
+ARG GID=10002
 
 RUN apk -U upgrade \
 && apk add --no-cache --virtual .build-deps pcre-dev gcc musl-dev python3-dev libffi-dev openssl-dev \
 && mkdir /vcs-scraper
 
 COPY ./ /vcs-scraper
 
-RUN addgroup -S $RUN_AS_USER && adduser -S $RUN_AS_USER -g "$RUN_AS_USER" \
-&& chown -R $RUN_AS_USER:$RUN_AS_USER ./vcs-scraper
+RUN addgroup -g $GID $RUN_AS_GROUP \
+&& adduser -D -u $UID -G $RUN_AS_GROUP $RUN_AS_USER \
+&& chown -R $RUN_AS_USER:$RUN_AS_GROUP ./vcs-scraper
 
 USER $RUN_AS_USER
 
diff --git a/deployment/kubernetes/charts/resc-database-init/templates/database_job.yaml b/deployment/kubernetes/charts/resc-database-init/templates/database_job.yaml
@@ -7,6 +7,8 @@ spec:
   ttlSecondsAfterFinished: 600
   template:
     metadata:
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/resc-db-init: unconfined
       labels:
         {{ if .Values.additionalLabels }}
         {{- range $key, $val := .Values.additionalLabels }}    
@@ -15,6 +17,8 @@ spec:
         {{ end }}
         app: {{ .Values.global.appName }}
         tier: database
+        kubeaudit.io/allow-disabled-apparmor: "apparmor-needs-to-be-installed-on-host"
+        kubeaudit.io/allow-read-only-root-filesystem-false: "required-to-write-log-files"
     spec:
       {{ if .Values.global.serviceAccountName }}
       serviceAccountName: {{ .Values.global.serviceAccountName }}
@@ -41,6 +45,17 @@ spec:
             - name: config-volume
               mountPath: /tmp/odbc.ini
               subPath: odbc.ini
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            privileged: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+            runAsNonRoot: true
+            runAsUser: 10001
       volumes:
         - name: config-volume
           configMap:
@@ -50,4 +65,5 @@ spec:
       imagePullSecrets:
         - name: {{ .Values.global.imagePullSecret }}
       {{ end }}
+      automountServiceAccountToken: false
   backoffLimit: {{ .Values.backoffLimit }}
diff --git a/deployment/kubernetes/charts/resc-database/templates/database_deployment.yaml b/deployment/kubernetes/charts/resc-database/templates/database_deployment.yaml
@@ -12,9 +12,14 @@ spec:
   replicas: 1
   template:
     metadata:
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/resc-db: unconfined
       labels:
         app: {{ .Values.global.appName }}
         tier: ms-database
+        kubeaudit.io/allow-disabled-apparmor: "apparmor-needs-to-be-installed-on-host"
+        kubeaudit.io/allow-capability-net-bind-service: "required-by-sqlserver-to-bind-the-default-MSDTC-RPC-on-port-135"
+        kubeaudit.io/allow-read-only-root-filesystem-false: "required-to-write-database-files"
     spec:
       volumes:
         - name: {{ .Values.global.appName }}-database-pv-storage
@@ -28,6 +33,9 @@ spec:
             requests:
               cpu: {{ .Values.database.resources.requests.cpu }}
               memory: {{ .Values.database.resources.requests.memory }}
+            limits:
+              cpu: {{ .Values.database.resources.limits.cpu }}
+              memory: {{ .Values.database.resources.limits.memory }}
           env:
             - name: GET_HOSTS_FROM
               value: dns
@@ -41,4 +49,23 @@ spec:
               name: {{ .Values.global.appName }}-database-pv-storage
           ports:
             - containerPort: {{ .Values.database.port }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            privileged: false
+            capabilities:
+              drop:
+                - ALL
+              add:
+              - NET_BIND_SERVICE
+            runAsNonRoot: true
+            runAsUser: 10001
+            seccompProfile:
+              type: RuntimeDefault
+          readinessProbe:
+            initialDelaySeconds: 15
+            periodSeconds: 300
+            tcpSocket:
+              port: {{ .Values.database.port }}
+      automountServiceAccountToken: false
 {{ end }}
diff --git a/deployment/kubernetes/charts/resc-database/values.yaml b/deployment/kubernetes/charts/resc-database/values.yaml
@@ -11,5 +11,8 @@ database:
     requests:
       cpu: 200m
       memory: 500M
+    limits:
+      cpu: "2"
+      memory: 2G
   pvc_path: "/var/resc/mssql/data"
   pvc_size: 10Gi
diff --git a/deployment/kubernetes/charts/resc-frontend/templates/frontend_deployment.yaml b/deployment/kubernetes/charts/resc-frontend/templates/frontend_deployment.yaml
@@ -13,9 +13,12 @@ spec:
     metadata:
       annotations:
         rollme: {{ randAlphaNum 5 | quote }}
+        container.apparmor.security.beta.kubernetes.io/resc-frontend: unconfined
       labels:
         app: {{ .Values.global.appName }}
         tier: frontend
+        kubeaudit.io/allow-disabled-apparmor: "apparmor-needs-to-be-installed-on-host"
+        kubeaudit.io/allow-read-only-root-filesystem-false: "required-to-write-log-files"
     spec:
       containers:
         - name: {{ .Values.global.appName }}-frontend
@@ -36,7 +39,19 @@ spec:
                 name: {{ .Values.global.appName }}-frontend-config
           ports:
             - containerPort: {{ .Values.port }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            privileged: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+            runAsNonRoot: true
+            runAsUser: 101
       {{ if .Values.global.imagePullSecret }}
       imagePullSecrets:
         - name: {{ .Values.global.imagePullSecret }}
-      {{ end }}
+      {{ end }}
+      automountServiceAccountToken: false
diff --git a/deployment/kubernetes/charts/resc-rabbitmq/templates/rabbitmq_job.yaml b/deployment/kubernetes/charts/resc-rabbitmq/templates/rabbitmq_job.yaml
@@ -11,6 +11,10 @@ spec:
         {{- with include "resc.mqInitAnnotations" .}}
           {{- nindent 8 .}}
         {{- end }}
+        container.apparmor.security.beta.kubernetes.io/resc-mq-init: unconfined
+      labels:
+        kubeaudit.io/allow-disabled-apparmor: "apparmor-needs-to-be-installed-on-host"
+        kubeaudit.io/allow-read-only-root-filesystem-false: "required-to-write-log-files"
     spec:
       {{ if .Values.global.serviceAccountName }}
       serviceAccountName: {{ .Values.global.serviceAccountName }}
@@ -37,9 +41,25 @@ spec:
             - secretRef:
                 name: {{ .Values.global.appName }}-rabbitmq-admin-secret
             {{ end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            privileged: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+            runAsNonRoot: true
+            runAsUser: 10001
       restartPolicy: {{ .Values.mqInit.restartPolicy }}
       {{ if .Values.global.imagePullSecret }}
       imagePullSecrets:
         - name: {{ .Values.global.imagePullSecret }}
       {{ end }}
+      {{ if .Values.global.serviceAccountName }}
+      automountServiceAccountToken: true
+      {{ else }}
+      automountServiceAccountToken: false
+      {{ end }}
   backoffLimit: {{ .Values.mqInit.backoffLimit }}
diff --git a/deployment/kubernetes/charts/resc-rabbitmq/templates/rabbitmq_statefulset.yaml b/deployment/kubernetes/charts/resc-rabbitmq/templates/rabbitmq_statefulset.yaml
@@ -15,11 +15,16 @@ spec:
       labels:
         app: {{ .Values.global.appName }}
         tier: rabbitmq
+        kubeaudit.io/allow-disabled-apparmor: "apparmor-needs-to-be-installed-on-host"
+        kubeaudit.io/allow-read-only-root-filesystem-false: "required-to-write-log-files"
+        kubeaudit.io/allow-capability-setgid: "required-by-raabitmq-to-set-group-identitys"
+        kubeaudit.io/allow-capability-setuid: "required-by-raabitmq-to-set-user-identity"
       annotations:
         rollme: {{ randAlphaNum 5 | quote }}
         {{- with include "resc.mqAnnotations" .}}
           {{- nindent 8 .}}
         {{- end }}
+        container.apparmor.security.beta.kubernetes.io/resc-mq: unconfined
     spec:
       {{ if .Values.global.serviceAccountName }}
       serviceAccountName: {{ .Values.global.serviceAccountName }}
@@ -63,7 +68,37 @@ spec:
             - mountPath: "/var/lib/rabbitmq/mnesia"
               subPath: "var/lib/rabbitmq/mnesia"
               name: {{ .Values.global.appName }}-mq-pv-storage
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            privileged: false
+            capabilities:
+              drop:
+                - ALL
+              add:
+              - SETGID
+              - SETUID
+            seccompProfile:
+              type: RuntimeDefault
+            runAsNonRoot: true
+            runAsUser: 10001
+          {{ if eq .Values.useKubernetesSecret "true"}}
+          readinessProbe:
+            initialDelaySeconds: 15
+            periodSeconds: 300
+            httpGet:
+              path: /api/health/checks/alarms
+              port: {{ .Values.rabbitMQ.config.mgmtPort}}
+              httpHeaders:
+                - name: Authorization
+                  value: Basic {{ printf "%s:%s" .Values.rabbitMQ.config.admin_username .Values.rabbitMQ.config.admin_password | b64enc }}
+          {{ end }}
       {{ if .Values.global.imagePullSecret_proxy }}
       imagePullSecrets:
         - name: {{ .Values.global.imagePullSecret_proxy }}
       {{ end }}
+      {{ if .Values.global.serviceAccountName }}
+      automountServiceAccountToken: true
+      {{ else }}
+      automountServiceAccountToken: false
+      {{ end }}
diff --git a/deployment/kubernetes/charts/resc-rules-init/templates/rules_job.yaml b/deployment/kubernetes/charts/resc-rules-init/templates/rules_job.yaml
@@ -9,9 +9,13 @@ spec:
   ttlSecondsAfterFinished: 600
   template:
     metadata:
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/resc-rules-init: unconfined
       labels:
         app: {{ .Values.global.appName }}
         tier: database
+        kubeaudit.io/allow-disabled-apparmor: "apparmor-needs-to-be-installed-on-host"
+        kubeaudit.io/allow-read-only-root-filesystem-false: "required-to-write-log-files"
     spec:
       {{ if .Values.serviceAccountName }}
       serviceAccountName: {{ .Values.global.serviceAccountName }}
@@ -35,6 +39,17 @@ spec:
           volumeMounts:
             - name: config-volume
               mountPath: /tmp/
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            privileged: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+            runAsNonRoot: true
+            runAsUser: 10001
       volumes:
         - name: config-volume
           configMap:
@@ -44,4 +59,9 @@ spec:
       imagePullSecrets:
         - name: {{ .Values.global.imagePullSecret }}
       {{ end }}
+      {{ if .Values.global.serviceAccountName }}
+      automountServiceAccountToken: true
+      {{ else }}
+      automountServiceAccountToken: false
+      {{ end }}
   backoffLimit: {{ .Values.backoffLimit }}
diff --git a/deployment/kubernetes/charts/resc-vcs-scanner-secrets/templates/vcs_scanner_secrets_deployment.yaml b/deployment/kubernetes/charts/resc-vcs-scanner-secrets/templates/vcs_scanner_secrets_deployment.yaml
@@ -12,11 +12,14 @@ spec:
     metadata:
       labels:
         tier: {{ .Values.global.appName }}-vcs-scanner-secrets
+        kubeaudit.io/allow-disabled-apparmor: "apparmor-needs-to-be-installed-on-host"
+        kubeaudit.io/allow-read-only-root-filesystem-false: "required-to-write-log-files"
       annotations:
         rollme: {{ randAlphaNum 5 | quote }}
         {{- with include "resc.vcsScannerSecretsAnnotations" .}}
           {{- nindent 8 .}}
         {{- end }}
+        container.apparmor.security.beta.kubernetes.io/resc--vcs-scanner-secrets: unconfined
     spec:
       {{ if .Values.global.serviceAccountName }}
       serviceAccountName: {{ .Values.global.serviceAccountName }}
@@ -52,6 +55,17 @@ spec:
         env:
           - name: GET_HOSTS_FROM
             value: dns
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: false
+          privileged: false
+          capabilities:
+            drop:
+              - ALL
+          seccompProfile:
+              type: RuntimeDefault
+          runAsNonRoot: true
+          runAsUser: 10001
       volumes:
         - name: config-volume
           configMap:
@@ -61,3 +75,8 @@ spec:
       imagePullSecrets:
         - name: {{ .Values.global.imagePullSecret }}
       {{ end }}
+      {{ if .Values.global.serviceAccountName }}
+      automountServiceAccountToken: true
+      {{ else }}
+      automountServiceAccountToken: false
+      {{ end }}
diff --git a/deployment/kubernetes/charts/resc-vcs-scraper-projects/templates/vcs_scraper_projects_cron_job.yaml b/deployment/kubernetes/charts/resc-vcs-scraper-projects/templates/vcs_scraper_projects_cron_job.yaml
diff --git a/deployment/kubernetes/charts/resc-vcs-scraper-repositories/templates/vcs_scraper_repositories_deployment.yaml b/deployment/kubernetes/charts/resc-vcs-scraper-repositories/templates/vcs_scraper_repositories_deployment.yaml
diff --git a/deployment/kubernetes/templates/web_service_deployment.tpl b/deployment/kubernetes/templates/web_service_deployment.tpl
