feat(common): add hostUser support (#612)

**Description**
`hostUser:false` provides extra security for stateless pods, it has
specific requirements of being enabled, if those are valid it's safe to
enable. Just in case we also allow to manually override.

⚒️ Fixes  #607 

**⚙️ Type of change**

- [x] ⚙️ Feature/App addition
- [ ] 🪛 Bugfix
- [ ] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] 🔃 Refactor of current code

**🧪 How Has This Been Tested?**
<!--
Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration
-->

**📃 Notes:**
<!-- Please enter any other relevant information here -->

**✔️ Checklist:**

- [ ] ⚖️ My code follows the style guidelines of this project
- [ ] 👀 I have performed a self-review of my own code
- [ ] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [ ] 📄 I have made corresponding changes to the documentation
- [ ] ⚠️ My changes generate no new warnings
- [ ] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [ ] ⬆️ I increased versions for any altered app according to semantic
versioning

** App addition**

If this PR is an app addition please make sure you have done the
following.

- [ ] 🪞 I have opened a PR on
[truecharts/containers](https://github.com/truecharts/containers) adding
the container to TrueCharts mirror repo.
- [ ] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._

---------

Co-authored-by: Stavros kois <s.kois@outlook.com>
Co-authored-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com>
This commit is contained in:
Kjeld Schouten
2023-11-18 21:35:18 +01:00
committed by GitHub
parent 456e44a708
commit a35b8ddde5
10 changed files with 502 additions and 13 deletions

View File

@@ -3,7 +3,7 @@ appVersion: ""
dependencies:
- name: common
repository: file://../common
version: ~15.1.0
version: ~15.2.0
deprecated: false
description: Helper chart to test different use cases of the common library
home: https://github.com/truecharts/apps/tree/master/charts/library/common-test

View File

@@ -0,0 +1,78 @@
suite: pod hostIPC test
templates:
- common.yaml
release:
name: test-release-name
namespace: test-release-namespace
tests:
- it: should pass with hostIPC disabled from "global"
set:
podOptions:
hostIPC: false
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec: {}
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostIPC
value: false
- it: should pass with hostIPC enabled from "global"
set:
podOptions:
hostIPC: true
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec: {}
asserts:
- documentIndex: *deploymentDoc
isKind:
of: Deployment
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostIPC
value: true
- it: should pass with disabled hostIPC from pod
set:
podOptions:
hostIPC: true
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
hostIPC: false
asserts:
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostIPC
value: false
- it: should pass with enabled hostIPC from pod
set:
podOptions:
hostIPC: false
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
hostIPC: true
asserts:
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostIPC
value: true

View File

@@ -0,0 +1,316 @@
suite: pod hostUsers test
templates:
- common.yaml
release:
name: test-release-name
namespace: test-release-namespace
tests:
- it: should pass with hostUsers enabled from "global"
set:
podOptions:
hostUsers: true
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec: {}
asserts:
- documentIndex: &deploymentDoc 0
isKind:
of: Deployment
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostUsers
value: true
- it: should pass with hostUsers enabled from podSpec
set:
podOptions:
hostUsers: false
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
hostUsers: true
asserts:
- documentIndex: *deploymentDoc
isKind:
of: Deployment
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostUsers
value: true
- it: should pass with enabled hostUsers because of pvc
set:
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec: {}
persistence:
vol1:
enabled: true
type: pvc
asserts:
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostUsers
value: true
- it: should pass with enabled hostUsers because of hostNet
set:
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
hostNetwork: true
asserts:
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostUsers
value: true
- it: should pass with enabled hostUsers because of hostPID
set:
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
hostPID: true
asserts:
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostUsers
value: true
- it: should pass with enabled hostUsers because of hostIPC
set:
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
hostIPC: true
asserts:
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostUsers
value: true
# Tests that eq <template> "true" works // bool to string etc.
- it: should pass with disabled hostUsers with host* disabled explicitly
set:
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
hostIPC: false
asserts:
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostUsers
value: false
- it: should pass with enabled hostUsers because of sysctls
set:
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
securityContext:
sysctls:
- name: some-sysctl
value: some-value
asserts:
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostUsers
value: true
- it: should pass with enabled hostUsers because of gpu
set:
scaleGPU:
- gpu:
nvidia: "1"
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec: {}
asserts:
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostUsers
value: true
- it: should pass with enabled hostUsers because rofs is disabled
set:
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container1:
enabled: true
primary: true
probes: &probes
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
securityContext:
readOnlyRootFilesystem: false
asserts:
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostUsers
value: true
- it: should pass with enabled hostUsers because runAsNonRoot is disabled
set:
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container1:
enabled: true
primary: true
probes: *probes
securityContext:
runAsNonRoot: false
# Common will reset to true if runAsUser is not 0
runAsUser: 0
asserts:
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostUsers
value: true
- it: should pass with enabled hostUsers because privileged is enabled
set:
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container1:
enabled: true
primary: true
probes: *probes
securityContext:
privileged: true
asserts:
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostUsers
value: true
- it: should pass with enabled hostUsers because allowPrivilegeEscalation is enabled
set:
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container1:
enabled: true
primary: true
probes: *probes
securityContext:
allowPrivilegeEscalation: true
asserts:
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostUsers
value: true
- it: should pass with enabled hostUsers because runAsUser is 0
set:
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container1:
enabled: true
primary: true
probes: *probes
securityContext:
runAsUser: 0
asserts:
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostUsers
value: true
- it: should pass with enabled hostUsers because runAsGroup is 0
set:
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container1:
enabled: true
primary: true
probes: *probes
securityContext:
runAsGroup: 0
asserts:
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostUsers
value: true
- it: should pass with enabled hostUsers because capabilities.add is not empty
set:
workload:
workload-name1:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
container1:
enabled: true
primary: true
probes: *probes
securityContext:
capabilities:
add:
- SYS_ADMIN
asserts:
- documentIndex: *deploymentDoc
equal:
path: spec.template.spec.hostUsers
value: true

View File

@@ -572,7 +572,7 @@ tests:
podSpec: {}
asserts:
- failedTemplate:
errorMessage: Pod - Expected non-empty [.Values.securityContext.pod]
errorMessage: Pod - Expected non-empty [securityContext.pod]
- it: should fail with empty fsGroup
set:

View File

@@ -15,4 +15,4 @@ maintainers:
name: common
sources: null
type: library
version: 15.1.1
version: 15.2.0

View File

@@ -0,0 +1,24 @@
{{/* Returns Host IPC */}}
{{/* Call this template:
{{ include "tc.v1.common.lib.pod.hostIPC" (dict "rootCtx" $ "objectData" $objectData) }}
rootCtx: The root context of the chart.
objectData: The object data to be used to render the Pod.
*/}}
{{- define "tc.v1.common.lib.pod.hostIPC" -}}
{{- $rootCtx := .rootCtx -}}
{{- $objectData := .objectData -}}
{{- $hostIPC := false -}}
{{/* Initialize from the "global" option */}}
{{- if (kindIs "bool" $rootCtx.Values.podOptions.hostIPC) -}}
{{- $hostIPC = $rootCtx.Values.podOptions.hostIPC -}}
{{- end -}}
{{/* Override with pods option */}}
{{- if (kindIs "bool" $objectData.podSpec.hostIPC) -}}
{{- $hostIPC = $objectData.podSpec.hostIPC -}}
{{- end -}}
{{- $hostIPC -}}
{{- end -}}

View File

@@ -0,0 +1,32 @@
{{/* Returns Host Users */}}
{{/* Call this template:
{{ include "tc.v1.common.lib.pod.hostPID" (dict "rootCtx" $ "objectData" $objectData) }}
rootCtx: The root context of the chart.
objectData: The object data to be used to render the Pod.
*/}}
{{- define "tc.v1.common.lib.pod.hostUsers" -}}
{{- $rootCtx := .rootCtx -}}
{{- $objectData := .objectData -}}
{{- $hostUsers := false -}}
{{- if $objectData.podSpec.calculatedHostUsers -}}
{{- $hostUsers = true -}}
{{- end -}}
{{/* Override from the "global" option */}}
{{- if (kindIs "bool" $rootCtx.Values.podOptions.hostUsers) -}}
{{- if $rootCtx.Values.podOptions.hostUsers -}}
{{- $hostUsers = true -}}
{{- end -}}
{{- end -}}
{{/* Override with pods option */}}
{{- if (kindIs "bool" $objectData.podSpec.hostUsers) -}}
{{- if $objectData.podSpec.hostUsers -}}
{{- $hostUsers = true -}}
{{- end -}}
{{- end -}}
{{- $hostUsers -}}
{{- end -}}

View File

@@ -9,7 +9,7 @@ objectData: The object data to be used to render the Pod.
{{- $objectData := .objectData -}}
{{- if not $rootCtx.Values.securityContext.pod -}}
{{- fail "Pod - Expected non-empty [.Values.securityContext.pod]" -}}
{{- fail "Pod - Expected non-empty [securityContext.pod]" -}}
{{- end -}}
{{/* Initialize from the "global" option */}}
@@ -35,28 +35,59 @@ objectData: The object data to be used to render the Pod.
{{- $deviceGroups := (list 5 10 20 24) -}}
{{- $deviceAdded := false -}}
{{- $hostUsers := false -}}
{{- $hostUserPersistence := (list "configmap" "secret" "emptyDir" "downwardAPI" "projected") -}}
{{- $podSelected := false -}}
{{- range $persistenceName, $persistenceValues := $rootCtx.Values.persistence -}}
{{- if $persistenceValues.enabled -}}
{{- if eq $persistenceValues.type "device" -}}
{{- if $persistenceValues.targetSelectAll -}}
{{- $deviceAdded = true -}}
{{- else if $persistenceValues.targetSelector -}}
{{- if mustHas $objectData.shortName ($persistenceValues.targetSelector | keys) -}}
{{- $deviceAdded = true -}}
{{- end -}}
{{- else if $objectData.podPrimary -}}
{{- $deviceAdded = true -}}
{{- if $persistenceValues.targetSelectAll -}}
{{- $podSelected = true -}}
{{- else if and $persistenceValues.targetSelector (kindIs "map" $persistenceValues.targetSelector) -}}
{{- if mustHas $objectData.shortName ($persistenceValues.targetSelector | keys) -}}
{{- $podSelected = true -}}
{{- end -}}
{{- else if $objectData.podPrimary -}}
{{- $podSelected = true -}}
{{- end -}}
{{- end -}}
{{- if $podSelected -}}
{{- if eq $persistenceValues.type "device" -}}
{{- $deviceAdded = true -}}
{{- end -}}
{{- if not (mustHas $persistenceValues.type $hostUserPersistence) -}}
{{- $hostUsers = true -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/* Make sure no host "things" are used */}}
{{- $hostNet := (eq (include "tc.v1.common.lib.pod.hostNetwork" (dict "rootCtx" $rootCtx "objectData" $objectData)) "true") -}}
{{- $hostPID := (eq (include "tc.v1.common.lib.pod.hostPID" (dict "rootCtx" $rootCtx "objectData" $objectData)) "true") -}}
{{- $hostIPC := (eq (include "tc.v1.common.lib.pod.hostIPC" (dict "rootCtx" $rootCtx "objectData" $objectData)) "true") -}}
{{- if or $hostIPC $hostNet $hostPID -}}
{{- $hostUsers = true -}}
{{- end }}
{{- range $containerName, $containerValues := $objectData.podSpec.containers -}}
{{- $secContContainer := fromJson (include "tc.v1.common.lib.container.securityContext.calculate" (dict "rootCtx" $rootCtx "objectData" $containerValues)) }}
{{- if or $secContContainer.allowPrivilegeEscalation $secContContainer.privileged $secContContainer.capabilities.add
(not $secContContainer.readOnlyRootFilesystem) (not $secContContainer.runAsNonRoot)
(lt ($secContContainer.runAsUser | int) 1) (lt ($secContContainer.runAsGroup | int) 1) -}}
{{- $hostUsers = true -}}
{{- end -}}
{{- end -}}
{{- if $gpuAdded -}}
{{- $_ := set $secContext "supplementalGroups" (concat $secContext.supplementalGroups (list 44 107)) -}}
{{- $hostUsers = true -}}
{{- end -}}
{{- if $deviceAdded -}}
{{- $_ := set $secContext "supplementalGroups" (concat $secContext.supplementalGroups $deviceGroups) -}}
{{- $hostUsers = true -}}
{{- end -}}
{{- $_ := set $secContext "supplementalGroups" (concat $secContext.supplementalGroups (list 568)) -}}
@@ -101,6 +132,7 @@ supplementalGroups: []
{{- end -}}
{{- with $secContext.sysctls }}
sysctls:
{{- $hostUsers = true -}}
{{- range . }}
{{- if not .name -}}
{{- fail "Pod - Expected non-empty [name] in [sysctls]" -}}
@@ -114,4 +146,7 @@ sysctls:
{{- else }}
sysctls: []
{{- end -}}
{{/* Used by _hostUsers.tpl */}}
{{- $_ := set $objectData.podSpec "calculatedHostUsers" $hostUsers -}}
{{- end -}}

View File

@@ -16,6 +16,7 @@ imagePullSecrets:
{{- end }}
hostNetwork: {{ include "tc.v1.common.lib.pod.hostNetwork" (dict "rootCtx" $rootCtx "objectData" $objectData) }}
hostPID: {{ include "tc.v1.common.lib.pod.hostPID" (dict "rootCtx" $rootCtx "objectData" $objectData) }}
hostIPC: {{ include "tc.v1.common.lib.pod.hostIPC" (dict "rootCtx" $rootCtx "objectData" $objectData) }}
shareProcessNamespace: {{ include "tc.v1.common.lib.pod.shareProcessNamespace" (dict "rootCtx" $rootCtx "objectData" $objectData) }}
enableServiceLinks: {{ include "tc.v1.common.lib.pod.enableServiceLinks" (dict "rootCtx" $rootCtx "objectData" $objectData) }}
restartPolicy: {{ include "tc.v1.common.lib.pod.restartPolicy" (dict "rootCtx" $rootCtx "objectData" $objectData) }}
@@ -50,6 +51,7 @@ tolerations:
{{- end }}
securityContext:
{{- include "tc.v1.common.lib.pod.securityContext" (dict "rootCtx" $rootCtx "objectData" $objectData) | trim | nindent 2 }}
hostUsers: {{ include "tc.v1.common.lib.pod.hostUsers" (dict "rootCtx" $rootCtx "objectData" $objectData) }}
{{- if $objectData.podSpec.containers }}
containers:
{{- include "tc.v1.common.lib.pod.containerSpawner" (dict "rootCtx" $rootCtx "objectData" $objectData) | trim | nindent 2 -}}

View File

@@ -130,6 +130,8 @@ podOptions:
enableServiceLinks: false
hostNetwork: false
hostPID: false
hostIPC: false
hostUsers: false
shareProcessNamespace: false
restartPolicy: Always
dnsPolicy: ClusterFirst