diff --git a/library/common-test/tests/container/securityContext_test.yaml b/library/common-test/tests/container/securityContext_test.yaml index f78f1964..0599fd82 100644 --- a/library/common-test/tests/container/securityContext_test.yaml +++ b/library/common-test/tests/container/securityContext_test.yaml @@ -92,6 +92,8 @@ tests: capabilities: add: - CHOWN + - SETUID + - SETGID drop: - ALL @@ -496,6 +498,202 @@ tests: capabilities: add: - CHOWN + - SETUID + - SETGID + drop: + - ALL + + - it: should not include SETUID/SETGID when disabled from global + set: + image: *image + securityContext: + container: + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + capabilities: + disableAutoCapSETUID: true + disableAutoCapSETGID: true + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: + containers: + container-name1: + enabled: true + primary: true + imageSelector: image + probes: *probes + asserts: + - documentIndex: &deploymentDoc 0 + isKind: + of: Deployment + - documentIndex: *deploymentDoc + isAPIVersion: + of: apps/v1 + - documentIndex: *deploymentDoc + isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + runAsUser: 0 + runAsGroup: 0 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault + capabilities: + add: + - CHOWN + drop: + - ALL + + - it: should not include CHOWN when disabled from global + set: + image: *image + securityContext: + container: + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + capabilities: + disableAutoCapCHOWN: true + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: + containers: + container-name1: + enabled: true + primary: true + imageSelector: image + probes: *probes + asserts: + - documentIndex: &deploymentDoc 0 + isKind: + of: Deployment + - documentIndex: *deploymentDoc + isAPIVersion: + of: apps/v1 + - documentIndex: *deploymentDoc + isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + runAsUser: 0 + runAsGroup: 0 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault + capabilities: + add: + - SETUID + - SETGID + drop: + - ALL + + - it: should not include SETUID/SETGID when disabled from container level + set: + image: *image + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: + containers: + container-name1: + enabled: true + primary: true + imageSelector: image + probes: *probes + securityContext: + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + capabilities: + disableAutoCapSETUID: true + disableAutoCapSETGID: true + asserts: + - documentIndex: &deploymentDoc 0 + isKind: + of: Deployment + - documentIndex: *deploymentDoc + isAPIVersion: + of: apps/v1 + - documentIndex: *deploymentDoc + isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + runAsUser: 0 + runAsGroup: 0 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault + capabilities: + add: + - CHOWN + drop: + - ALL + + - it: should not include CHOWN when disabled from container level + set: + image: *image + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: + containers: + container-name1: + enabled: true + primary: true + imageSelector: image + probes: *probes + securityContext: + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + capabilities: + disableAutoCapCHOWN: true + asserts: + - documentIndex: &deploymentDoc 0 + isKind: + of: Deployment + - documentIndex: *deploymentDoc + isAPIVersion: + of: apps/v1 + - documentIndex: *deploymentDoc + isSubset: + path: spec.template.spec.containers[0] + content: + securityContext: + runAsUser: 0 + runAsGroup: 0 + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + privileged: false + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault + capabilities: + add: + - SETUID + - SETGID drop: - ALL @@ -568,6 +766,8 @@ tests: capabilities: add: - CHOWN + - SETUID + - SETGID drop: - ALL @@ -830,3 +1030,78 @@ tests: asserts: - failedTemplate: errorMessage: Container - Expected to be [list], but got [string] + + - it: should fail capabilities.disableAutoCapCHOWN not a bool + set: + image: *image + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: + containers: + container-name1: + enabled: true + primary: true + imageSelector: image + probes: *probes + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + capabilities: + disableAutoCapCHOWN: not-bool + asserts: + - failedTemplate: + errorMessage: Container - Expected to be [bool], but got [not-bool] of type [string] + + - it: should fail capabilities.disableAutoCapSETUID not a bool + set: + image: *image + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: + containers: + container-name1: + enabled: true + primary: true + imageSelector: image + probes: *probes + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + capabilities: + disableAutoCapSETUID: not-bool + asserts: + - failedTemplate: + errorMessage: Container - Expected to be [bool], but got [not-bool] of type [string] + + - it: should fail capabilities.disableAutoCapSETGID not a bool + set: + image: *image + workload: + workload-name1: + enabled: true + primary: true + type: Deployment + podSpec: + containers: + container-name1: + enabled: true + primary: true + imageSelector: image + probes: *probes + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + capabilities: + disableAutoCapSETGID: not-bool + asserts: + - failedTemplate: + errorMessage: Container - Expected to be [bool], but got [not-bool] of type [string] diff --git a/library/common/Chart.yaml b/library/common/Chart.yaml index b7db0b72..b7e96b23 100644 --- a/library/common/Chart.yaml +++ b/library/common/Chart.yaml @@ -15,4 +15,4 @@ maintainers: name: common sources: null type: library -version: 12.2.31 +version: 12.2.32 diff --git a/library/common/templates/lib/container/_securityContext.tpl b/library/common/templates/lib/container/_securityContext.tpl index 3eac93d0..9bf192e3 100644 --- a/library/common/templates/lib/container/_securityContext.tpl +++ b/library/common/templates/lib/container/_securityContext.tpl @@ -138,8 +138,26 @@ objectData: The object data to be used to render the container. Lets add automatically the CHOWN cap. */}} {{- if eq (int $secContext.runAsUser) 0 -}} + + {{- range $key := (list "CHOWN" "SETUID" "SETGID") -}} + {{- $value := (get $secContext.capabilities (printf "disableAutoCap%s" $key)) -}} + {{- if not (kindIs "bool" $value) -}} + {{- fail (printf "Container - Expected to be [bool], but got [%s] of type [%s]" $key $value (kindOf $value)) -}} + {{- end -}} + {{- end -}} + {{- $addCap := $secContext.capabilities.add -}} - {{- $addCap = mustAppend $addCap "CHOWN" -}} + + {{- if not $secContext.capabilities.disableAutoCapCHOWN -}} + {{- $addCap = mustAppend $addCap "CHOWN" -}} + {{- end -}} + {{- if not $secContext.capabilities.disableAutoCapSETUID }} + {{- $addCap = mustAppend $addCap "SETUID" -}} + {{- end -}} + {{- if not $secContext.capabilities.disableAutoCapSETGID }} + {{- $addCap = mustAppend $addCap "SETGID" -}} + {{- end -}} + {{- $_ := set $secContext.capabilities "add" $addCap -}} {{- end -}} diff --git a/library/common/values.yaml b/library/common/values.yaml index 6250a445..c4797f01 100644 --- a/library/common/values.yaml +++ b/library/common/values.yaml @@ -79,6 +79,11 @@ securityContext: add: [] drop: - ALL + # When set to false, it will automatically + # add the capability when container runs as ROOT + disableAutoCapCHOWN: false + disableAutoCapSETUID: false + disableAutoCapSETGID: false # -- PUID for all containers # Can be overruled per container PUID: 568