feat: misc security improvements

2025-07-01 22:35:49 +02:00 · 2023-12-16 09:20:52 -05:00 · 2023-12-16 09:20:52 -05:00 · 9e0ffef4a1
commit 9e0ffef4a1
parent 9420237c3c
6 changed files with 80 additions and 4 deletions
--- a/4
+++ b/4
@ -17,8 +17,12 @@ RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .

 FROM alpine:3.18 as final

+RUN addgroup -g 1000 appgroup && adduser -u 1000 -G appgroup -D webhook
+
 RUN apk add --no-cache ca-certificates

+USER 1000
+
 COPY --from=build /workspace/webhook /usr/local/bin/webhook

 ENTRYPOINT ["webhook"]
--- a/deploy/cert-manager-ibm-cis-webhook/Chart.yaml
+++ b/deploy/cert-manager-ibm-cis-webhook/Chart.yaml
@ -2,4 +2,4 @@ apiVersion: v1
 appVersion: "1.0"
 description: A Helm chart for Kubernetes
 name: cert-manager-ibm-cis-webhook
-version: 1.0.0
+version: 1.1.0
--- a/deploy/cert-manager-ibm-cis-webhook/templates/deployment.yaml
+++ b/deploy/cert-manager-ibm-cis-webhook/templates/deployment.yaml
@ -19,7 +19,12 @@ spec:
      labels:
        app: {{ include "cert-manager-ibm-cis-webhook.name" . }}
        release: {{ .Release.Name }}
+      annotations:
+        checksum/secrets: {{ include (print $.Template.BasePath "/secret.yaml") $ | sha256sum }}
+
    spec:
+      securityContext:
+        runAsNonRoot: true
      serviceAccountName: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}
      imagePullSecrets:
      {{- range .Values.imagePullSecrets }}
@ -30,16 +35,20 @@ spec:
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          args:
+            - --secure-port={{ .Values.containerPort }}
            - --tls-cert-file=/tls/tls.crt
            - --tls-private-key-file=/tls/tls.key
          env:
            - name: GROUP_NAME
              value: {{ .Values.groupName | quote }}
            - name: IBMCLOUD_API_KEY
-              value: {{ .Values.ibmCloudApiKey | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}-ibmcis-credentials
+                  key: api-token
          ports:
            - name: https
-              containerPort: 443
+              containerPort: {{ .Values.containerPort }}
              protocol: TCP
          livenessProbe:
            httpGet:
@ -51,6 +60,12 @@ spec:
              scheme: HTTPS
              path: /healthz
              port: https
+          securityContext:
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
          volumeMounts:
            - name: certs
              mountPath: /tls
--- a/deploy/cert-manager-ibm-cis-webhook/templates/networkpolicies.yaml
+++ b/deploy/cert-manager-ibm-cis-webhook/templates/networkpolicies.yaml
@ -0,0 +1,52 @@
+{{- if .Values.networkPolicies.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}-allow-dns
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ include "cert-manager-ibm-cis-webhook.name" . }}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector: {}
+      podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+    - protocol: UDP
+      port: 53
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}-allow-ingress
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ include "cert-manager-ibm-cis-webhook.name" . }}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector: {}
+    ports:
+    - protocol: TCP
+      port: {{ .Values.containerPort }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-to-k8s-api
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ include "cert-manager-ibm-cis-webhook.name" . }}
+  policyTypes:
+    - Egress
+  egress:
+    - {}
+{{- end }}
--- a/deploy/cert-manager-ibm-cis-webhook/templates/secret.yaml
+++ b/deploy/cert-manager-ibm-cis-webhook/templates/secret.yaml
@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: ibmcis-credentials
+  name: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}-ibmcis-credentials
 type: Opaque
 stringData:
  api-token: {{ .Values.ibmCloudApiKey | quote }}
--- a/deploy/cert-manager-ibm-cis-webhook/values.yaml
+++ b/deploy/cert-manager-ibm-cis-webhook/values.yaml
@ -10,6 +10,9 @@ groupName: acme.skills.network

 ibmCloudApiKey: ""

+networkPolicies:
+  enabled: false
+
 certManager:
  namespace: cert-manager
  serviceAccountName: cert-manager
@ -25,6 +28,8 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""

+containerPort: 8443
+
 service:
  type: ClusterIP
  port: 443