From 9e0ffef4a1d8d22f27d54ed5b4fa803504af4365 Mon Sep 17 00:00:00 2001 From: James Reeve Date: Sat, 16 Dec 2023 09:20:52 -0500 Subject: [PATCH] feat: misc security improvements --- Dockerfile | 4 ++ .../cert-manager-ibm-cis-webhook/Chart.yaml | 2 +- .../templates/deployment.yaml | 19 ++++++- .../templates/networkpolicies.yaml | 52 +++++++++++++++++++ .../templates/secret.yaml | 2 +- .../cert-manager-ibm-cis-webhook/values.yaml | 5 ++ 6 files changed, 80 insertions(+), 4 deletions(-) create mode 100644 deploy/cert-manager-ibm-cis-webhook/templates/networkpolicies.yaml diff --git a/Dockerfile b/Dockerfile index b6f0a8b..ae5d658 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,8 +17,12 @@ RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' . FROM alpine:3.18 as final +RUN addgroup -g 1000 appgroup && adduser -u 1000 -G appgroup -D webhook + RUN apk add --no-cache ca-certificates +USER 1000 + COPY --from=build /workspace/webhook /usr/local/bin/webhook ENTRYPOINT ["webhook"] diff --git a/deploy/cert-manager-ibm-cis-webhook/Chart.yaml b/deploy/cert-manager-ibm-cis-webhook/Chart.yaml index c6387d1..8fd6d3a 100644 --- a/deploy/cert-manager-ibm-cis-webhook/Chart.yaml +++ b/deploy/cert-manager-ibm-cis-webhook/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v1 appVersion: "1.0" description: A Helm chart for Kubernetes name: cert-manager-ibm-cis-webhook -version: 1.0.0 +version: 1.1.0 diff --git a/deploy/cert-manager-ibm-cis-webhook/templates/deployment.yaml b/deploy/cert-manager-ibm-cis-webhook/templates/deployment.yaml index e4fde22..8a262e7 100644 --- a/deploy/cert-manager-ibm-cis-webhook/templates/deployment.yaml +++ b/deploy/cert-manager-ibm-cis-webhook/templates/deployment.yaml @@ -19,7 +19,12 @@ spec: labels: app: {{ include "cert-manager-ibm-cis-webhook.name" . }} release: {{ .Release.Name }} + annotations: + checksum/secrets: {{ include (print $.Template.BasePath "/secret.yaml") $ | sha256sum }} + spec: + securityContext: + runAsNonRoot: true serviceAccountName: {{ include "cert-manager-ibm-cis-webhook.fullname" . }} imagePullSecrets: {{- range .Values.imagePullSecrets }} @@ -30,16 +35,20 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} args: + - --secure-port={{ .Values.containerPort }} - --tls-cert-file=/tls/tls.crt - --tls-private-key-file=/tls/tls.key env: - name: GROUP_NAME value: {{ .Values.groupName | quote }} - name: IBMCLOUD_API_KEY - value: {{ .Values.ibmCloudApiKey | quote }} + valueFrom: + secretKeyRef: + name: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}-ibmcis-credentials + key: api-token ports: - name: https - containerPort: 443 + containerPort: {{ .Values.containerPort }} protocol: TCP livenessProbe: httpGet: @@ -51,6 +60,12 @@ spec: scheme: HTTPS path: /healthz port: https + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL volumeMounts: - name: certs mountPath: /tls diff --git a/deploy/cert-manager-ibm-cis-webhook/templates/networkpolicies.yaml b/deploy/cert-manager-ibm-cis-webhook/templates/networkpolicies.yaml new file mode 100644 index 0000000..2cb4c24 --- /dev/null +++ b/deploy/cert-manager-ibm-cis-webhook/templates/networkpolicies.yaml @@ -0,0 +1,52 @@ +{{- if .Values.networkPolicies.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}-allow-dns +spec: + podSelector: + matchLabels: + app: {{ include "cert-manager-ibm-cis-webhook.name" . }} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - protocol: UDP + port: 53 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}-allow-ingress +spec: + podSelector: + matchLabels: + app: {{ include "cert-manager-ibm-cis-webhook.name" . }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: {} + ports: + - protocol: TCP + port: {{ .Values.containerPort }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-egress-to-k8s-api +spec: + podSelector: + matchLabels: + app: {{ include "cert-manager-ibm-cis-webhook.name" . }} + policyTypes: + - Egress + egress: + - {} +{{- end }} diff --git a/deploy/cert-manager-ibm-cis-webhook/templates/secret.yaml b/deploy/cert-manager-ibm-cis-webhook/templates/secret.yaml index b83b7cf..ff74605 100644 --- a/deploy/cert-manager-ibm-cis-webhook/templates/secret.yaml +++ b/deploy/cert-manager-ibm-cis-webhook/templates/secret.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Secret metadata: - name: ibmcis-credentials + name: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}-ibmcis-credentials type: Opaque stringData: api-token: {{ .Values.ibmCloudApiKey | quote }} diff --git a/deploy/cert-manager-ibm-cis-webhook/values.yaml b/deploy/cert-manager-ibm-cis-webhook/values.yaml index 503969b..0354306 100644 --- a/deploy/cert-manager-ibm-cis-webhook/values.yaml +++ b/deploy/cert-manager-ibm-cis-webhook/values.yaml @@ -10,6 +10,9 @@ groupName: acme.skills.network ibmCloudApiKey: "" +networkPolicies: + enabled: false + certManager: namespace: cert-manager serviceAccountName: cert-manager @@ -25,6 +28,8 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" +containerPort: 8443 + service: type: ClusterIP port: 443