Skip to content

Commit

Permalink
Adds security context to the operator/webhook (#580)
Browse files Browse the repository at this point in the history
  • Loading branch information
@0sewa0
0sewa0 committed Feb 28, 2022
1 parent cb9e12d commit ba25ac3
Show file tree
Hide file tree
Showing 6 changed files with 227 additions and 4 deletions.
29 changes: 29 additions & 0 deletions config/deploy/kubernetes/kubernetes-all.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3574,6 +3574,8 @@ kind: Deployment
metadata:
name: dynatrace-operator
namespace: dynatrace
annotations:
container.apparmor.security.beta.kubernetes.io/dynatrace-operator: runtime/default
labels:
dynatrace: operator
operator: dynakube
Expand Down Expand Up @@ -3638,6 +3640,15 @@ spec:
scheme: HTTP
initialDelaySeconds: 15
periodSeconds: 10
securityContext:
seccompProfile:
type: RuntimeDefault
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: ["all"]
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
Expand Down Expand Up @@ -3692,11 +3703,15 @@ spec:
metadata:
annotations:
kubectl.kubernetes.io/default-container: webhook
container.apparmor.security.beta.kubernetes.io/webhook: runtime/default
labels:
dynatrace.com/operator: oneagent
internal.dynatrace.com/component: webhook
internal.dynatrace.com/app: webhook
spec:
volumes:
- emptyDir: {}
name: certs-dir
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
Expand All @@ -3715,6 +3730,8 @@ spec:
- name: webhook
args:
- webhook-server
# OLM mounts the certificates here, so we reuse it for simplicity
- --certs-dir=/tmp/k8s-webhook-server/serving-certs/
image:
quay.io/dynatrace/dynatrace-operator:snapshot
imagePullPolicy: Always
Expand Down Expand Up @@ -3746,6 +3763,18 @@ spec:
limits:
cpu: 300m
memory: 128Mi
volumeMounts:
- name: certs-dir
mountPath: /tmp/k8s-webhook-server/serving-certs/
securityContext:
seccompProfile:
type: RuntimeDefault
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: ["all"]
serviceAccountName: dynatrace-webhook
---
# Source: dynatrace-operator/templates/Common/webhook/mutatingwebhookconfiguration.yaml
Expand Down
29 changes: 29 additions & 0 deletions config/deploy/openshift/openshift-all.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3641,6 +3641,8 @@ kind: Deployment
metadata:
name: dynatrace-operator
namespace: dynatrace
annotations:
container.apparmor.security.beta.kubernetes.io/dynatrace-operator: runtime/default
labels:
dynatrace: operator
operator: dynakube
Expand Down Expand Up @@ -3705,6 +3707,15 @@ spec:
scheme: HTTP
initialDelaySeconds: 15
periodSeconds: 10
securityContext:
seccompProfile:
type: RuntimeDefault
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: ["all"]
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
Expand Down Expand Up @@ -3759,11 +3770,15 @@ spec:
metadata:
annotations:
kubectl.kubernetes.io/default-container: webhook
container.apparmor.security.beta.kubernetes.io/webhook: runtime/default
labels:
dynatrace.com/operator: oneagent
internal.dynatrace.com/component: webhook
internal.dynatrace.com/app: webhook
spec:
volumes:
- emptyDir: {}
name: certs-dir
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
Expand All @@ -3782,6 +3797,8 @@ spec:
- name: webhook
args:
- webhook-server
# OLM mounts the certificates here, so we reuse it for simplicity
- --certs-dir=/tmp/k8s-webhook-server/serving-certs/
image:
quay.io/dynatrace/dynatrace-operator:snapshot
imagePullPolicy: Always
Expand Down Expand Up @@ -3813,6 +3830,18 @@ spec:
limits:
cpu: 300m
memory: 128Mi
volumeMounts:
- name: certs-dir
mountPath: /tmp/k8s-webhook-server/serving-certs/
securityContext:
seccompProfile:
type: RuntimeDefault
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: ["all"]
serviceAccountName: dynatrace-webhook
---
# Source: dynatrace-operator/templates/Common/webhook/mutatingwebhookconfiguration.yaml
Expand Down
11 changes: 11 additions & 0 deletions config/helm/chart/default/templates/Common/operator/deployment-operator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ kind: Deployment
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
annotations:
container.apparmor.security.beta.kubernetes.io/{{ .Release.Name }}: runtime/default
labels:
{{- include "dynatrace-operator.labels" . | nindent 4 }}
spec:
Expand Down Expand Up @@ -83,6 +85,15 @@ spec:
scheme: HTTP
initialDelaySeconds: 15
periodSeconds: 10
securityContext:
seccompProfile:
type: RuntimeDefault
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: ["all"]
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
Expand Down
22 changes: 18 additions & 4 deletions config/helm/chart/default/templates/Common/webhook/deployment-webhook.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,15 @@ spec:
metadata:
annotations:
kubectl.kubernetes.io/default-container: webhook
container.apparmor.security.beta.kubernetes.io/webhook: runtime/default
labels:
dynatrace.com/operator: oneagent
internal.dynatrace.com/component: webhook
internal.dynatrace.com/app: webhook
spec:
volumes:
- emptyDir: {}
name: certs-dir
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
Expand All @@ -56,10 +60,8 @@ spec:
- name: webhook
args:
- webhook-server
{{- if eq (default false .Values.olm) true }}
# OLM mounts the certificates to a different location
# OLM mounts the certificates here, so we reuse it for simplicity
- --certs-dir=/tmp/k8s-webhook-server/serving-certs/
{{- end}}
image: {{- include "dynatrace-operator.image" . | nindent 12 }}
imagePullPolicy: Always
env:
Expand Down Expand Up @@ -94,10 +96,22 @@ spec:
limits:
cpu: {{ default "300m" ((.Values.webhook).limits).cpu }}
memory: {{ default "128Mi" ((.Values.webhook).limits).memory }}
volumeMounts:
- name: certs-dir
mountPath: /tmp/k8s-webhook-server/serving-certs/
securityContext:
seccompProfile:
type: RuntimeDefault
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: ["all"]
serviceAccountName: dynatrace-webhook
{{- if (.Values.webhook).hostNetwork }}
hostNetwork: true
{{- end }}
serviceAccountName: dynatrace-webhook
{{- if .Values.operator.customPullSecret }}
imagePullSecrets:
- name: {{ .Values.operator.customPullSecret }}
Expand Down
18 changes: 18 additions & 0 deletions config/helm/chart/default/tests/Common/operator/deployment-operator_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,15 @@ tests:
scheme: HTTP
initialDelaySeconds: 15
periodSeconds: 10
securityContext:
seccompProfile:
type: RuntimeDefault
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: ["all"]
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
Expand Down Expand Up @@ -222,6 +231,15 @@ tests:
scheme: HTTP
initialDelaySeconds: 15
periodSeconds: 10
securityContext:
seccompProfile:
type: RuntimeDefault
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: ["all"]
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
Expand Down
122 changes: 122 additions & 0 deletions config/helm/chart/default/tests/Common/webhook/deployment-webhook_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,11 +44,15 @@ tests:
metadata:
annotations:
kubectl.kubernetes.io/default-container: webhook
container.apparmor.security.beta.kubernetes.io/webhook: runtime/default
labels:
dynatrace.com/operator: oneagent
internal.dynatrace.com/component: webhook
internal.dynatrace.com/app: webhook
spec:
volumes:
- emptyDir: {}
name: certs-dir
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
Expand All @@ -67,6 +71,7 @@ tests:
- name: webhook
args:
- webhook-server
- --certs-dir=/tmp/k8s-webhook-server/serving-certs/
image: image-name
imagePullPolicy: Always
env:
Expand Down Expand Up @@ -97,6 +102,18 @@ tests:
limits:
cpu: 300m
memory: 128Mi
volumeMounts:
- name: certs-dir
mountPath: /tmp/k8s-webhook-server/serving-certs/
securityContext:
seccompProfile:
type: RuntimeDefault
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: ["all"]
serviceAccountName: dynatrace-webhook

- it: should have imagePullSecrets defined in spec
Expand All @@ -112,3 +129,108 @@ tests:
asserts:
- isNull:
path: spec.template.spec.imagePullSecrets


- it: should exist on olm (but different)
set:
olm: true
operator.image: image-name
asserts:
- isKind:
of: Deployment
- equal:
path: metadata.name
value: dynatrace-webhook
- equal:
path: metadata.namespace
value: NAMESPACE
- isNotEmpty:
path: metadata.labels
- equal:
path: spec
value:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
internal.dynatrace.com/component: webhook
internal.dynatrace.com/app: webhook
strategy:
type: RollingUpdate
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: webhook
container.apparmor.security.beta.kubernetes.io/webhook: runtime/default
labels:
dynatrace.com/operator: oneagent
internal.dynatrace.com/component: webhook
internal.dynatrace.com/app: webhook
spec:
volumes:
- emptyDir: {}
name: certs-dir
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
- key: kubernetes.io/os
operator: In
values:
- linux
containers:
- name: webhook
args:
- webhook-server
- --certs-dir=/tmp/k8s-webhook-server/serving-certs/
image: image-name
imagePullPolicy: Always
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: DEPLOYED_VIA_OLM
value: "true"
readinessProbe:
httpGet:
path: /healthz
port: server-port
scheme: HTTPS
ports:
- name: metrics
containerPort: 8383
- name: validation
containerPort: 8384
- name: server-port
containerPort: 8443
resources:
requests:
cpu: 300m
memory: 128Mi
limits:
cpu: 300m
memory: 128Mi
volumeMounts:
- name: certs-dir
mountPath: /tmp/k8s-webhook-server/serving-certs/
securityContext:
seccompProfile:
type: RuntimeDefault
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: ["all"]
serviceAccountName: dynatrace-webhook

0 comments on commit ba25ac3

Please sign in to comment.