Skip to content

Commit

Permalink
Flyte-core define pod and container securityContext (#4809)
Browse files Browse the repository at this point in the history
- Define secure defaults for all pod / container specs:

   * runAsNonRoot: true
   * capabilities:
       drop: ['ALL']
   * allowPrivilegeEscalation: false
   * seLinuxOptions:
       type: spc_t

   This is required in many locations where policy enforcement agents
   may be installed (like OPA Gatekeeper) which may otherwise prevent
   deployments from launching.

   The hard work of making sure the containers run as non-0 uids seems
   to have already been done given all containers are already specifying
   a runAsUser value of 1000 or 1001, so this should hopefully just be a
   little more hardening around restricting kernel permissions /
   enforcement within the container runtime.

   These are generally considered standard / secure default settings and
   are not currently made configurable given these services are all
   owned by Flyte

Signed-off-by: ddl-ebrown <[email protected]>
  • Loading branch information
ddl-ebrown authored Feb 13, 2024
1 parent 288888d commit fe1204c
Show file tree
Hide file tree
Showing 13 changed files with 430 additions and 0 deletions.
23 changes: 23 additions & 0 deletions charts/flyte-core/templates/admin/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,12 @@ spec:
labels: {{ include "flyteadmin.podLabels" . | nindent 8 }}
spec:
securityContext:
runAsNonRoot: true
fsGroup: 65534
runAsUser: 1001
fsGroupChangePolicy: "Always"
seLinuxOptions:
type: spc_t
{{- if .Values.flyteadmin.priorityClassName }}
priorityClassName: {{ .Values.flyteadmin.priorityClassName }}
{{- end }}
Expand All @@ -35,6 +38,10 @@ spec:
image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}"
imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}"
name: run-migrations
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 10 }}
- mountPath: /etc/flyte/config
name: base-config-volume
Expand All @@ -57,6 +64,10 @@ spec:
image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}"
imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}"
name: seed-projects
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 10 }}
- mountPath: /etc/flyte/config
name: base-config-volume
Expand All @@ -77,6 +88,10 @@ spec:
image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}"
imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}"
name: sync-cluster-resources
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 10 }}
- mountPath: /etc/flyte/clusterresource/templates
name: resource-templates
Expand Down Expand Up @@ -104,6 +119,10 @@ spec:
[
"flyteadmin --config={{ .Values.flyteadmin.configPath }} secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets",
]
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- mountPath: /etc/flyte/config
name: base-config-volume
Expand Down Expand Up @@ -149,6 +168,10 @@ spec:
initialDelaySeconds: 20
periodSeconds: 5
resources: {{- toYaml .Values.flyteadmin.resources | nindent 10 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }}
- mountPath: /srv/flyte
name: shared-data
Expand Down
7 changes: 7 additions & 0 deletions charts/flyte-core/templates/console/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,11 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroupChangePolicy: "OnRootMismatch"
seLinuxOptions:
type: spc_t
{{- if .Values.flyteconsole.priorityClassName }}
priorityClassName: {{ .Values.flyteconsole.priorityClassName }}
{{- end }}
Expand All @@ -51,6 +54,10 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
resources: {{ toYaml .Values.flyteconsole.resources | nindent 10 }}
volumeMounts:
- mountPath: /srv/flyte
Expand Down
11 changes: 11 additions & 0 deletions charts/flyte-core/templates/datacatalog/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,12 @@ spec:
labels: {{ include "datacatalog.podLabels" . | nindent 8 }}
spec:
securityContext:
runAsNonRoot: true
fsGroup: 1001
runAsUser: 1001
fsGroupChangePolicy: "OnRootMismatch"
seLinuxOptions:
type: spc_t
{{- if .Values.datacatalog.priorityClassName }}
priorityClassName: {{ .Values.datacatalog.priorityClassName }}
{{- end }}
Expand All @@ -44,6 +47,10 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
containers:
- command:
- datacatalog
Expand All @@ -66,6 +73,10 @@ spec:
- containerPort: 8088
- containerPort: 8089
- containerPort: {{ index .Values.configmap.datacatalogServer.datacatalog "profiler-port" }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
resources: {{- toYaml .Values.datacatalog.resources | nindent 10 }}
volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }}
- mountPath: /etc/datacatalog/config
Expand Down
11 changes: 11 additions & 0 deletions charts/flyte-core/templates/flytescheduler/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,12 @@ spec:
labels: {{ include "flytescheduler.podLabels" . | nindent 8 }}
spec:
securityContext:
runAsNonRoot: true
fsGroup: 65534
runAsUser: 1001
fsGroupChangePolicy: "Always"
seLinuxOptions:
type: spc_t
{{- if .Values.flytescheduler.priorityClassName }}
priorityClassName: {{ .Values.flytescheduler.priorityClassName }}
{{- end }}
Expand All @@ -42,6 +45,10 @@ spec:
image: "{{ .Values.flytescheduler.image.repository }}:{{ .Values.flytescheduler.image.tag }}"
imagePullPolicy: "{{ .Values.flytescheduler.image.pullPolicy }}"
name: flytescheduler-check
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }}
- mountPath: /etc/flyte/config
name: config-volume
Expand All @@ -65,6 +72,10 @@ spec:
name: flytescheduler
ports:
- containerPort: {{ .Values.configmap.schedulerConfig.scheduler.profilerPort }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
resources: {{- toYaml .Values.flytescheduler.resources | nindent 10 }}
volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }}
- mountPath: /etc/flyte/config
Expand Down
11 changes: 11 additions & 0 deletions charts/flyte-core/templates/propeller/webhook.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,11 @@ spec:
spec:
securityContext:
fsGroup: 65534
runAsNonRoot: true
runAsUser: 1001
fsGroupChangePolicy: "Always"
seLinuxOptions:
type: spc_t
serviceAccountName: {{ template "flyte-pod-webhook.name" . }}
{{- if .Values.webhook.enabled }}
initContainers:
Expand Down Expand Up @@ -66,6 +69,10 @@ spec:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- name: config-volume
mountPath: /etc/flyte/config
Expand Down Expand Up @@ -96,6 +103,10 @@ spec:
{{- end }}
ports:
- containerPort: 9443
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- name: config-volume
mountPath: /etc/flyte/config
Expand Down
52 changes: 52 additions & 0 deletions deployment/eks/flyte_aws_scheduler_helm_generated.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -857,9 +857,12 @@ spec:
app.kubernetes.io/managed-by: Helm
spec:
securityContext:
runAsNonRoot: true
fsGroup: 65534
runAsUser: 1001
fsGroupChangePolicy: "Always"
seLinuxOptions:
type: spc_t
initContainers:
- command:
- flyteadmin
Expand All @@ -870,6 +873,10 @@ spec:
image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4"
imagePullPolicy: "IfNotPresent"
name: run-migrations
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- mountPath: /etc/db
name: db-pass
Expand All @@ -887,6 +894,10 @@ spec:
image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4"
imagePullPolicy: "IfNotPresent"
name: seed-projects
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- mountPath: /etc/db
name: db-pass
Expand All @@ -901,6 +912,10 @@ spec:
image: "cr.flyte.org/flyteorg/flyteadmin:v1.10.7-b4"
imagePullPolicy: "IfNotPresent"
name: sync-cluster-resources
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- mountPath: /etc/db
name: db-pass
Expand All @@ -918,6 +933,10 @@ spec:
[
"flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets",
]
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- mountPath: /etc/flyte/config
name: base-config-volume
Expand Down Expand Up @@ -959,6 +978,10 @@ spec:
cpu: 50m
ephemeral-storage: 200Mi
memory: 200Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- mountPath: /etc/db
name: db-pass
Expand Down Expand Up @@ -1085,8 +1108,11 @@ spec:
app.kubernetes.io/managed-by: Helm
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroupChangePolicy: "OnRootMismatch"
seLinuxOptions:
type: spc_t
containers:
- image: "cr.flyte.org/flyteorg/flyteconsole:v1.10.2"
imagePullPolicy: "IfNotPresent"
Expand All @@ -1096,6 +1122,10 @@ spec:
name: flyte-console-config
ports:
- containerPort: 8080
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
resources:
limits:
cpu: 250m
Expand Down Expand Up @@ -1145,9 +1175,12 @@ spec:
app.kubernetes.io/managed-by: Helm
spec:
securityContext:
runAsNonRoot: true
fsGroup: 1001
runAsUser: 1001
fsGroupChangePolicy: "OnRootMismatch"
seLinuxOptions:
type: spc_t
initContainers:
- command:
- datacatalog
Expand All @@ -1163,6 +1196,10 @@ spec:
name: db-pass
- mountPath: /etc/datacatalog/config
name: config-volume
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
containers:
- command:
- datacatalog
Expand All @@ -1176,6 +1213,10 @@ spec:
- containerPort: 8088
- containerPort: 8089
- containerPort: 10254
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
resources:
limits:
cpu: 1
Expand Down Expand Up @@ -1314,8 +1355,11 @@ spec:
spec:
securityContext:
fsGroup: 65534
runAsNonRoot: true
runAsUser: 1001
fsGroupChangePolicy: "Always"
seLinuxOptions:
type: spc_t
serviceAccountName: flyte-pod-webhook
initContainers:
- name: generate-secrets
Expand All @@ -1337,6 +1381,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- name: config-volume
mountPath: /etc/flyte/config
Expand All @@ -1361,6 +1409,10 @@ spec:
fieldPath: metadata.namespace
ports:
- containerPort: 9443
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- name: config-volume
mountPath: /etc/flyte/config
Expand Down
Loading

0 comments on commit fe1204c

Please sign in to comment.