From f57daed50bb2da952ac5cc3ee8232ef350a7fe2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Mon, 18 Mar 2024 10:23:54 +0100 Subject: [PATCH] [bitnami/cert-manager] feat!: :lock: :boom: Improve security defaults (#24271) * [bitnami/cert-manager] feat!: :lock: :boom: Improve security defaults Signed-off-by: Javier Salmeron Garcia * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * chore: :arrow_up: Bump common subchart Signed-off-by: Javier Salmeron Garcia * chore: :rewind: Revert changes in values.yaml Signed-off-by: Javier Salmeron Garcia * test: :white_check_mark: Add /tmp as emptydir Signed-off-by: Javier Salmeron Garcia --------- Signed-off-by: Javier Salmeron Garcia Signed-off-by: Bitnami Containers Signed-off-by: Alejandro Moreno Co-authored-by: Bitnami Containers Co-authored-by: Alejandro Moreno --- .vib/cert-manager/runtime-parameters.yaml | 7 ++++ bitnami/cert-manager/Chart.yaml | 2 +- bitnami/cert-manager/README.md | 47 ++++++++++++++--------- bitnami/cert-manager/values.yaml | 26 ++++++------- 4 files changed, 50 insertions(+), 32 deletions(-) diff --git a/.vib/cert-manager/runtime-parameters.yaml b/.vib/cert-manager/runtime-parameters.yaml index 203a2a9a5a..a6fe408156 100644 --- a/.vib/cert-manager/runtime-parameters.yaml +++ b/.vib/cert-manager/runtime-parameters.yaml @@ -9,6 +9,13 @@ controller: serviceAccount: create: true automountServiceAccountToken: true + extraVolumes: + - name: empty-dir + emptyDir: {} + extraVolumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir webhook: httpsPort: 443 rbac: diff --git a/bitnami/cert-manager/Chart.yaml b/bitnami/cert-manager/Chart.yaml index 6d2bbd16ce..9b03211630 100644 --- a/bitnami/cert-manager/Chart.yaml +++ b/bitnami/cert-manager/Chart.yaml @@ -35,4 +35,4 @@ maintainers: name: cert-manager sources: - https://github.com/bitnami/charts/tree/main/bitnami/cert-manager -version: 0.24.1 +version: 1.0.0 diff --git a/bitnami/cert-manager/README.md b/bitnami/cert-manager/README.md index e58be2b07d..84711b3e25 100644 --- a/bitnami/cert-manager/README.md +++ b/bitnami/cert-manager/README.md @@ -264,12 +264,12 @@ As an alternative, you can make use of the preset configurations for pod affinit ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -304,7 +304,7 @@ As an alternative, you can make use of the preset configurations for pod affinit | `controller.acmesolver.image.pullPolicy` | Controller image pull policy | `IfNotPresent` | | `controller.acmesolver.image.pullSecrets` | Controller image pull secrets | `[]` | | `controller.acmesolver.image.debug` | Controller image debug mode | `false` | -| `controller.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production). | `none` | +| `controller.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production). | `nano` | | `controller.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `controller.podSecurityContext.enabled` | Enabled Controller pods' Security Context | `true` | | `controller.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | @@ -312,11 +312,11 @@ As an alternative, you can make use of the preset configurations for pod affinit | `controller.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `controller.podSecurityContext.fsGroup` | Set Controller pod's Security Context fsGroup | `1001` | | `controller.containerSecurityContext.enabled` | Enabled controller containers' Security Context | `true` | -| `controller.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `controller.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `controller.containerSecurityContext.runAsUser` | Set controller containers' Security Context runAsUser | `1001` | -| `controller.containerSecurityContext.runAsGroup` | Set controller containers' Security Context runAsGroup | `0` | +| `controller.containerSecurityContext.runAsGroup` | Set controller containers' Security Context runAsGroup | `1001` | | `controller.containerSecurityContext.runAsNonRoot` | Set controller containers' Security Context runAsNonRoot | `true` | -| `controller.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `false` | +| `controller.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `true` | | `controller.containerSecurityContext.privileged` | Set controller container's Security Context privileged | `false` | | `controller.containerSecurityContext.allowPrivilegeEscalation` | Set controller container's Security Context allowPrivilegeEscalation | `false` | | `controller.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | @@ -398,7 +398,7 @@ As an alternative, you can make use of the preset configurations for pod affinit | `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` | | `webhook.image.pullSecrets` | Webhook image pull secrets | `[]` | | `webhook.image.debug` | Webhook image debug mode | `false` | -| `webhook.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production). | `none` | +| `webhook.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production). | `nano` | | `webhook.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `webhook.podSecurityContext.enabled` | Enabled Webhook pods' Security Context | `true` | | `webhook.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | @@ -406,11 +406,11 @@ As an alternative, you can make use of the preset configurations for pod affinit | `webhook.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `webhook.podSecurityContext.fsGroup` | Set Webhook pod's Security Context fsGroup | `1001` | | `webhook.containerSecurityContext.enabled` | Enabled webhook containers' Security Context | `true` | -| `webhook.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `webhook.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `webhook.containerSecurityContext.runAsUser` | Set webhook containers' Security Context runAsUser | `1001` | -| `webhook.containerSecurityContext.runAsGroup` | Set webhook containers' Security Context runAsGroup | `0` | +| `webhook.containerSecurityContext.runAsGroup` | Set webhook containers' Security Context runAsGroup | `1001` | | `webhook.containerSecurityContext.runAsNonRoot` | Set webhook containers' Security Context runAsNonRoot | `true` | -| `webhook.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `false` | +| `webhook.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `true` | | `webhook.containerSecurityContext.privileged` | Set webhook container's Security Context privileged | `false` | | `webhook.containerSecurityContext.allowPrivilegeEscalation` | Set webhook container's Security Context allowPrivilegeEscalation | `false` | | `webhook.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | @@ -488,7 +488,7 @@ As an alternative, you can make use of the preset configurations for pod affinit | `cainjector.image.pullPolicy` | CAInjector image pull policy | `IfNotPresent` | | `cainjector.image.pullSecrets` | CAInjector image pull secrets | `[]` | | `cainjector.image.debug` | CAInjector image debug mode | `false` | -| `cainjector.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if cloneHtdocsFromGit.resources is set (cloneHtdocsFromGit.resources is recommended for production). | `none` | +| `cainjector.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if cloneHtdocsFromGit.resources is set (cloneHtdocsFromGit.resources is recommended for production). | `nano` | | `cainjector.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `cainjector.podSecurityContext.enabled` | Enabled CAInjector pods' Security Context | `true` | | `cainjector.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | @@ -496,11 +496,11 @@ As an alternative, you can make use of the preset configurations for pod affinit | `cainjector.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `cainjector.podSecurityContext.fsGroup` | Set CAInjector pod's Security Context fsGroup | `1001` | | `cainjector.containerSecurityContext.enabled` | Enabled cainjector containers' Security Context | `true` | -| `cainjector.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `cainjector.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `cainjector.containerSecurityContext.runAsUser` | Set cainjector containers' Security Context runAsUser | `1001` | -| `cainjector.containerSecurityContext.runAsGroup` | Set cainjector containers' Security Context runAsGroup | `0` | +| `cainjector.containerSecurityContext.runAsGroup` | Set cainjector containers' Security Context runAsGroup | `1001` | | `cainjector.containerSecurityContext.runAsNonRoot` | Set cainjector containers' Security Context runAsNonRoot | `true` | -| `cainjector.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `false` | +| `cainjector.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `true` | | `cainjector.containerSecurityContext.privileged` | Set cainjector container's Security Context privileged | `false` | | `cainjector.containerSecurityContext.allowPrivilegeEscalation` | Set cainjector container's Security Context allowPrivilegeEscalation | `false` | | `cainjector.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | @@ -614,6 +614,17 @@ Find more information about how to deal with common errors related to Bitnami's ## Upgrading +### To 1.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + ### To 0.5.0 Exisiting CRDs have been syncronised with the official [cert-manager repository](https://github.com/cert-manager/cert-manager/tree/master/deploy/crds). Using the templates present in the 1.8.0 tag. diff --git a/bitnami/cert-manager/values.yaml b/bitnami/cert-manager/values.yaml index e70e20ef62..c5455939b9 100644 --- a/bitnami/cert-manager/values.yaml +++ b/bitnami/cert-manager/values.yaml @@ -21,7 +21,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @param kubeVersion Override Kubernetes version @@ -133,7 +133,7 @@ controller: ## @param controller.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param controller.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -174,9 +174,9 @@ controller: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false @@ -184,7 +184,7 @@ controller: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true ## @param controller.podAffinityPreset Pod affinity preset. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard` ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## @@ -504,7 +504,7 @@ webhook: ## @param webhook.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param webhook.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -545,9 +545,9 @@ webhook: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false @@ -555,7 +555,7 @@ webhook: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true ## @param webhook.podAffinityPreset Pod affinity preset. Ignored if `webhook.affinity` is set. Allowed values: `soft` or `hard` ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## @@ -860,7 +860,7 @@ cainjector: ## @param cainjector.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if cloneHtdocsFromGit.resources is set (cloneHtdocsFromGit.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param cainjector.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -901,9 +901,9 @@ cainjector: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false @@ -911,7 +911,7 @@ cainjector: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## @param cainjector.podAffinityPreset Pod affinity preset. Ignored if `cainjector.affinity` is set. Allowed values: `soft` or `hard` ##