Skip to content

Add securityContext for the KBS deployment pod #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 23, 2024
Merged

Add securityContext for the KBS deployment pod #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion config/samples/all-in-one/kbs-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,6 @@ data:
}
},
"policy_engine_config": {
"policy_path": "/opa/confidential-containers/kbs/policy.rego"
"policy_path": "/opt/confidential-containers/opa/policy.rego"
}
}
3 changes: 3 additions & 0 deletions config/samples/microservices/kbs-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,8 @@ data:
"repository_config": {
"type": "LocalFs",
"dir_path": "/opt/confidential-containers/kbs/repository"
},
"policy_engine_config": {
"policy_path": "/opt/confidential-containers/opa/policy.rego"
}
}
78 changes: 52 additions & 26 deletions internal/controller/kbsconfig_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -330,20 +330,37 @@ func (r *KbsConfigReconciler) newKbsDeployment(ctx context.Context) *appsv1.Depl
kbsDeploymentType = confidentialcontainersorgv1alpha1.DeploymentTypeMicroservices
}

// RunAsUser (root) 0
runAsUser := int64(0)

var volumes []corev1.Volume
var kbsVM []corev1.VolumeMount
var asVM []corev1.VolumeMount
var rvpsVM []corev1.VolumeMount

// The paths /opt/confidential-container and /opt/confidential-container/kbs/repository/default
// are mounted as a RW volume in memory to allow trustee components
// to have full access to the filesystem
// confidential-containers
volume, err := r.createConfidentialContainersVolume(confidentialContainers)
if err != nil {
return nil
}
volumes = append(volumes, *volume)
volumeMount := createVolumeMount(volume.Name, filepath.Join(rootPath, volume.Name))
kbsVM = append(kbsVM, volumeMount)
// default repo
volume, err = r.createDefaultRepositoryVolume(defaultRepository)
if err != nil {
return nil
}
volumes = append(volumes, *volume)
volumeMount = createVolumeMount(volume.Name, filepath.Join(repositoryPath, volume.Name))
kbsVM = append(kbsVM, volumeMount)

// kbs-config
volume, err := r.createKbsConfigMapVolume(ctx, "kbs-config")
volume, err = r.createKbsConfigMapVolume(ctx, "kbs-config")
if err != nil {
return nil
}
volumeMount := createVolumeMount(volume.Name, filepath.Join(kbsDefaultConfigPath, volume.Name))
volumeMount = createVolumeMount(volume.Name, filepath.Join(kbsDefaultConfigPath, volume.Name))
volumes = append(volumes, *volume)
kbsVM = append(kbsVM, volumeMount)

Expand Down Expand Up @@ -424,13 +441,14 @@ func (r *KbsConfigReconciler) newKbsDeployment(ctx context.Context) *appsv1.Depl
rvpsVM = append(rvpsVM, volumeMount)
}

containers := []corev1.Container{r.buildKbsContainer(kbsVM, runAsUser)}
securityContext := createSecurityContext()
containers := []corev1.Container{r.buildKbsContainer(kbsVM, securityContext)}

if kbsDeploymentType == confidentialcontainersorgv1alpha1.DeploymentTypeMicroservices {
// build AS container
containers = append(containers, r.buildAsContainer(asVM, runAsUser))
containers = append(containers, r.buildAsContainer(asVM, securityContext))
// build RVPS container
containers = append(containers, r.buildRvpsContainer(rvpsVM, runAsUser))
containers = append(containers, r.buildRvpsContainer(rvpsVM, securityContext))
}

// Create the deployment
Expand Down Expand Up @@ -464,7 +482,24 @@ func (r *KbsConfigReconciler) newKbsDeployment(ctx context.Context) *appsv1.Depl
return deployment
}

func (r *KbsConfigReconciler) buildAsContainer(volumeMounts []corev1.VolumeMount, runAsUser int64) corev1.Container {
func pointer[T any](d T) *T {
return &d
}

func createSecurityContext() *corev1.SecurityContext {
return &corev1.SecurityContext{
AllowPrivilegeEscalation: pointer(false),
Capabilities: &corev1.Capabilities{
Drop: []corev1.Capability{
"ALL"},
},
SeccompProfile: &corev1.SeccompProfile{
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
}
}

func (r *KbsConfigReconciler) buildAsContainer(volumeMounts []corev1.VolumeMount, securityContext *corev1.SecurityContext) corev1.Container {
asImageName := os.Getenv("AS_IMAGE_NAME")
if asImageName == "" {
asImageName = DefaultAsImageName
Expand All @@ -489,17 +524,14 @@ func (r *KbsConfigReconciler) buildAsContainer(volumeMounts []corev1.VolumeMount
},
},
// Add command to start AS
Command: asCommand,
// Add SecurityContext
SecurityContext: &corev1.SecurityContext{
RunAsUser: &runAsUser,
},
Command: asCommand,
SecurityContext: securityContext,
// Add volume mount for config
VolumeMounts: volumeMounts,
}
}

func (r *KbsConfigReconciler) buildRvpsContainer(volumeMounts []corev1.VolumeMount, runAsUser int64) corev1.Container {
func (r *KbsConfigReconciler) buildRvpsContainer(volumeMounts []corev1.VolumeMount, securityContext *corev1.SecurityContext) corev1.Container {
rvpsImageName := os.Getenv("RVPS_IMAGE_NAME")
if rvpsImageName == "" {
rvpsImageName = DefaultRvpsImageName
Expand All @@ -522,17 +554,14 @@ func (r *KbsConfigReconciler) buildRvpsContainer(volumeMounts []corev1.VolumeMou
},
},
// Add command to start RVPS
Command: rvpsCommand,
// Add SecurityContext
SecurityContext: &corev1.SecurityContext{
RunAsUser: &runAsUser,
},
Command: rvpsCommand,
SecurityContext: securityContext,
// Add volume mount for config
VolumeMounts: volumeMounts,
}
}

func (r *KbsConfigReconciler) buildKbsContainer(volumeMounts []corev1.VolumeMount, runAsUser int64) corev1.Container {
func (r *KbsConfigReconciler) buildKbsContainer(volumeMounts []corev1.VolumeMount, securityContext *corev1.SecurityContext) corev1.Container {
// Get Image Name from env variable if set
imageName := os.Getenv("KBS_IMAGE_NAME")
if imageName == "" {
Expand All @@ -556,11 +585,8 @@ func (r *KbsConfigReconciler) buildKbsContainer(volumeMounts []corev1.VolumeMoun
},
},
// Add command to start KBS
Command: command,
// Add SecurityContext
SecurityContext: &corev1.SecurityContext{
RunAsUser: &runAsUser,
},
Command: command,
SecurityContext: securityContext,
// Add volume mount for KBS config
VolumeMounts: volumeMounts,
/* TODO commented out because not configurable yet
Expand Down
24 changes: 24 additions & 0 deletions internal/controller/volumes.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,30 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
)

func (r *KbsConfigReconciler) createConfidentialContainersVolume(volumeName string) (*corev1.Volume, error) {
volume := corev1.Volume{
Name: volumeName,
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{
Medium: corev1.StorageMediumMemory,
},
},
}
return &volume, nil
}

func (r *KbsConfigReconciler) createDefaultRepositoryVolume(volumeName string) (*corev1.Volume, error) {
volume := corev1.Volume{
Name: volumeName,
VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{
Medium: corev1.StorageMediumMemory,
},
},
}
return &volume, nil
}

func (r *KbsConfigReconciler) createKbsConfigMapVolume(ctx context.Context, volumeName string) (*corev1.Volume, error) {
if r.kbsConfig.Spec.KbsConfigMapName != "" {
foundConfigMap := &corev1.ConfigMap{}
Expand Down