Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2389377 fix critical findings from kube-audit and datree scan #121

Merged
merged 1 commit into from
Jun 27, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions components/resc-backend/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ ARG NAME="resc_backend"
ARG DESCRIPTION="Repository Scanner Backend"
ARG VERSION=${VERSION}
ARG RUN_AS_USER="apiuser"
ARG RUN_AS_GROUP="apiuser"
ARG UID=10001
ARG GID=10002

RUN apk -U upgrade \
&& apk add --no-cache curl git nginx build-base linux-headers \
Expand All @@ -24,8 +27,9 @@ RUN mkdir /resc_backend

COPY ./ /resc_backend

RUN addgroup -S $RUN_AS_USER && adduser -S $RUN_AS_USER -g "$RUN_AS_USER" \
&& chown -R $RUN_AS_USER:$RUN_AS_USER ./resc_backend
RUN addgroup -g $GID $RUN_AS_GROUP \
&& adduser -D -u $UID -G $RUN_AS_GROUP $RUN_AS_USER \
&& chown -R $RUN_AS_USER:$RUN_AS_GROUP ./resc_backend

USER $RUN_AS_USER
ENV PATH=$PATH:/home/apiuser/.local/bin
Expand Down
10 changes: 7 additions & 3 deletions components/resc-vcs-scanner/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ ARG NAME="resc-vcs-scanner"
ARG DESCRIPTION="RESC Version Control System Scanner"
ARG VERSION=${VERSION}
ARG RUN_AS_USER="apiuser"
ARG RUN_AS_GROUP="apiuser"
ARG UID=10001
ARG GID=10002

RUN apk -U upgrade \
&& apk add --no-cache git \
Expand All @@ -13,12 +16,13 @@ RUN mkdir /resc_backend && mkdir /vcs_scanner

COPY ./resc-backend /resc_backend

RUN addgroup -S $RUN_AS_USER && adduser -S $RUN_AS_USER -g "$RUN_AS_USER" \
&& chown -R $RUN_AS_USER:$RUN_AS_USER ./resc_backend
RUN addgroup -g $GID $RUN_AS_GROUP \
&& adduser -D -u $UID -G $RUN_AS_GROUP $RUN_AS_USER \
&& chown -R $RUN_AS_USER:$RUN_AS_GROUP ./resc_backend

COPY ./resc-vcs-scanner /vcs_scanner

RUN chown -R $RUN_AS_USER:$RUN_AS_USER ./vcs_scanner \
RUN chown -R $RUN_AS_USER:$RUN_AS_GROUP ./vcs_scanner \
&& chmod +x ./vcs_scanner/gitleaks_config/seco-gitleaks-linux-amd64

USER $RUN_AS_USER
Expand Down
8 changes: 6 additions & 2 deletions components/resc-vcs-scraper/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,19 @@ ARG NAME="resc-vcs-scraper"
ARG DESCRIPTION="Version Control Systems Scraper"
ARG VERSION=${VERSION}
ARG RUN_AS_USER="apiuser"
ARG RUN_AS_GROUP="apiuser"
ARG UID=10001
ARG GID=10002

RUN apk -U upgrade \
&& apk add --no-cache --virtual .build-deps pcre-dev gcc musl-dev python3-dev libffi-dev openssl-dev \
&& mkdir /vcs-scraper

COPY ./ /vcs-scraper

RUN addgroup -S $RUN_AS_USER && adduser -S $RUN_AS_USER -g "$RUN_AS_USER" \
&& chown -R $RUN_AS_USER:$RUN_AS_USER ./vcs-scraper
RUN addgroup -g $GID $RUN_AS_GROUP \
&& adduser -D -u $UID -G $RUN_AS_GROUP $RUN_AS_USER \
&& chown -R $RUN_AS_USER:$RUN_AS_GROUP ./vcs-scraper

USER $RUN_AS_USER

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ spec:
ttlSecondsAfterFinished: 600
template:
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/resc-db-init: unconfined
labels:
{{ if .Values.additionalLabels }}
{{- range $key, $val := .Values.additionalLabels }}
Expand All @@ -15,6 +17,8 @@ spec:
{{ end }}
app: {{ .Values.global.appName }}
tier: database
kubeaudit.io/allow-disabled-apparmor: "apparmor-needs-to-be-installed-on-host"
kubeaudit.io/allow-read-only-root-filesystem-false: "required-to-write-log-files"
spec:
{{ if .Values.global.serviceAccountName }}
serviceAccountName: {{ .Values.global.serviceAccountName }}
Expand All @@ -41,6 +45,17 @@ spec:
- name: config-volume
mountPath: /tmp/odbc.ini
subPath: odbc.ini
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
privileged: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 10001
volumes:
- name: config-volume
configMap:
Expand All @@ -50,4 +65,5 @@ spec:
imagePullSecrets:
- name: {{ .Values.global.imagePullSecret }}
{{ end }}
automountServiceAccountToken: false
backoffLimit: {{ .Values.backoffLimit }}
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,14 @@ spec:
replicas: 1
template:
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/resc-db: unconfined
labels:
app: {{ .Values.global.appName }}
tier: ms-database
kubeaudit.io/allow-disabled-apparmor: "apparmor-needs-to-be-installed-on-host"
kubeaudit.io/allow-capability-net-bind-service: "required-by-sqlserver-to-bind-the-default-MSDTC-RPC-on-port-135"
kubeaudit.io/allow-read-only-root-filesystem-false: "required-to-write-database-files"
spec:
volumes:
- name: {{ .Values.global.appName }}-database-pv-storage
Expand All @@ -28,6 +33,9 @@ spec:
requests:
cpu: {{ .Values.database.resources.requests.cpu }}
memory: {{ .Values.database.resources.requests.memory }}
limits:
cpu: {{ .Values.database.resources.limits.cpu }}
memory: {{ .Values.database.resources.limits.memory }}
env:
- name: GET_HOSTS_FROM
value: dns
Expand All @@ -41,4 +49,23 @@ spec:
name: {{ .Values.global.appName }}-database-pv-storage
ports:
- containerPort: {{ .Values.database.port }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
privileged: false
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
type: RuntimeDefault
readinessProbe:
initialDelaySeconds: 15
periodSeconds: 300
tcpSocket:
port: {{ .Values.database.port }}
automountServiceAccountToken: false
{{ end }}
3 changes: 3 additions & 0 deletions deployment/kubernetes/charts/resc-database/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,8 @@ database:
requests:
cpu: 200m
memory: 500M
limits:
cpu: "2"
memory: 2G
pvc_path: "/var/resc/mssql/data"
pvc_size: 10Gi
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,12 @@ spec:
metadata:
annotations:
rollme: {{ randAlphaNum 5 | quote }}
container.apparmor.security.beta.kubernetes.io/resc-frontend: unconfined
labels:
app: {{ .Values.global.appName }}
tier: frontend
kubeaudit.io/allow-disabled-apparmor: "apparmor-needs-to-be-installed-on-host"
kubeaudit.io/allow-read-only-root-filesystem-false: "required-to-write-log-files"
spec:
containers:
- name: {{ .Values.global.appName }}-frontend
Expand All @@ -36,7 +39,19 @@ spec:
name: {{ .Values.global.appName }}-frontend-config
ports:
- containerPort: {{ .Values.port }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
privileged: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 101
{{ if .Values.global.imagePullSecret }}
imagePullSecrets:
- name: {{ .Values.global.imagePullSecret }}
{{ end }}
{{ end }}
automountServiceAccountToken: false
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ spec:
{{- with include "resc.mqInitAnnotations" .}}
{{- nindent 8 .}}
{{- end }}
container.apparmor.security.beta.kubernetes.io/resc-mq-init: unconfined
labels:
kubeaudit.io/allow-disabled-apparmor: "apparmor-needs-to-be-installed-on-host"
kubeaudit.io/allow-read-only-root-filesystem-false: "required-to-write-log-files"
spec:
{{ if .Values.global.serviceAccountName }}
serviceAccountName: {{ .Values.global.serviceAccountName }}
Expand All @@ -37,9 +41,25 @@ spec:
- secretRef:
name: {{ .Values.global.appName }}-rabbitmq-admin-secret
{{ end }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
privileged: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 10001
restartPolicy: {{ .Values.mqInit.restartPolicy }}
{{ if .Values.global.imagePullSecret }}
imagePullSecrets:
- name: {{ .Values.global.imagePullSecret }}
{{ end }}
{{ if .Values.global.serviceAccountName }}
automountServiceAccountToken: true
{{ else }}
automountServiceAccountToken: false
{{ end }}
backoffLimit: {{ .Values.mqInit.backoffLimit }}
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,16 @@ spec:
labels:
app: {{ .Values.global.appName }}
tier: rabbitmq
kubeaudit.io/allow-disabled-apparmor: "apparmor-needs-to-be-installed-on-host"
kubeaudit.io/allow-read-only-root-filesystem-false: "required-to-write-log-files"
kubeaudit.io/allow-capability-setgid: "required-by-raabitmq-to-set-group-identitys"
kubeaudit.io/allow-capability-setuid: "required-by-raabitmq-to-set-user-identity"
annotations:
rollme: {{ randAlphaNum 5 | quote }}
{{- with include "resc.mqAnnotations" .}}
{{- nindent 8 .}}
{{- end }}
container.apparmor.security.beta.kubernetes.io/resc-mq: unconfined
spec:
{{ if .Values.global.serviceAccountName }}
serviceAccountName: {{ .Values.global.serviceAccountName }}
Expand Down Expand Up @@ -63,7 +68,37 @@ spec:
- mountPath: "/var/lib/rabbitmq/mnesia"
subPath: "var/lib/rabbitmq/mnesia"
name: {{ .Values.global.appName }}-mq-pv-storage
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
privileged: false
capabilities:
drop:
- ALL
add:
- SETGID
- SETUID
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 10001
{{ if eq .Values.useKubernetesSecret "true"}}
readinessProbe:
initialDelaySeconds: 15
periodSeconds: 300
httpGet:
path: /api/health/checks/alarms
port: {{ .Values.rabbitMQ.config.mgmtPort}}
httpHeaders:
- name: Authorization
value: Basic {{ printf "%s:%s" .Values.rabbitMQ.config.admin_username .Values.rabbitMQ.config.admin_password | b64enc }}
{{ end }}
{{ if .Values.global.imagePullSecret_proxy }}
imagePullSecrets:
- name: {{ .Values.global.imagePullSecret_proxy }}
{{ end }}
{{ if .Values.global.serviceAccountName }}
automountServiceAccountToken: true
{{ else }}
automountServiceAccountToken: false
{{ end }}
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,13 @@ spec:
ttlSecondsAfterFinished: 600
template:
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/resc-rules-init: unconfined
labels:
app: {{ .Values.global.appName }}
tier: database
kubeaudit.io/allow-disabled-apparmor: "apparmor-needs-to-be-installed-on-host"
kubeaudit.io/allow-read-only-root-filesystem-false: "required-to-write-log-files"
spec:
{{ if .Values.serviceAccountName }}
serviceAccountName: {{ .Values.global.serviceAccountName }}
Expand All @@ -35,6 +39,17 @@ spec:
volumeMounts:
- name: config-volume
mountPath: /tmp/
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
privileged: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 10001
volumes:
- name: config-volume
configMap:
Expand All @@ -44,4 +59,9 @@ spec:
imagePullSecrets:
- name: {{ .Values.global.imagePullSecret }}
{{ end }}
{{ if .Values.global.serviceAccountName }}
automountServiceAccountToken: true
{{ else }}
automountServiceAccountToken: false
{{ end }}
backoffLimit: {{ .Values.backoffLimit }}
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,14 @@ spec:
metadata:
labels:
tier: {{ .Values.global.appName }}-vcs-scanner-secrets
kubeaudit.io/allow-disabled-apparmor: "apparmor-needs-to-be-installed-on-host"
kubeaudit.io/allow-read-only-root-filesystem-false: "required-to-write-log-files"
annotations:
rollme: {{ randAlphaNum 5 | quote }}
{{- with include "resc.vcsScannerSecretsAnnotations" .}}
{{- nindent 8 .}}
{{- end }}
container.apparmor.security.beta.kubernetes.io/resc--vcs-scanner-secrets: unconfined
spec:
{{ if .Values.global.serviceAccountName }}
serviceAccountName: {{ .Values.global.serviceAccountName }}
Expand Down Expand Up @@ -52,6 +55,17 @@ spec:
env:
- name: GET_HOSTS_FROM
value: dns
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
privileged: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 10001
volumes:
- name: config-volume
configMap:
Expand All @@ -61,3 +75,8 @@ spec:
imagePullSecrets:
- name: {{ .Values.global.imagePullSecret }}
{{ end }}
{{ if .Values.global.serviceAccountName }}
automountServiceAccountToken: true
{{ else }}
automountServiceAccountToken: false
{{ end }}
Loading