diff --git a/cmd/build/helmify/kustomization.yaml b/cmd/build/helmify/kustomization.yaml index cf72d0566c1..8125b92a04b 100644 --- a/cmd/build/helmify/kustomization.yaml +++ b/cmd/build/helmify/kustomization.yaml @@ -73,8 +73,6 @@ patchesJson6902: path: /spec/template/spec/containers/0/resources/limits - op: remove path: /spec/template/spec/containers/0/resources/requests - - op: remove - path: /spec/template/metadata/annotations/container.seccomp.security.alpha.kubernetes.io~1manager - op: remove path: /spec/template/spec/nodeSelector/kubernetes.io~1os - op: remove @@ -91,6 +89,8 @@ patchesJson6902: path: /spec/template/spec/containers/0/securityContext/runAsNonRoot - op: remove path: /spec/template/spec/containers/0/securityContext/runAsUser + - op: remove + path: /spec/template/spec/containers/0/securityContext/seccompProfile - target: kind: Deployment name: gatekeeper-controller-manager @@ -99,8 +99,6 @@ patchesJson6902: path: /spec/template/spec/containers/0/resources/limits - op: remove path: /spec/template/spec/containers/0/resources/requests - - op: remove - path: /spec/template/metadata/annotations/container.seccomp.security.alpha.kubernetes.io~1manager - op: remove path: /spec/template/spec/nodeSelector/kubernetes.io~1os - op: remove @@ -119,6 +117,8 @@ patchesJson6902: path: /spec/template/spec/containers/0/securityContext/runAsNonRoot - op: remove path: /spec/template/spec/containers/0/securityContext/runAsUser + - op: remove + path: /spec/template/spec/containers/0/securityContext/seccompProfile - target: kind: Service name: webhook-service diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index ee49825cd1a..4d68e2a3145 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -258,7 +258,7 @@ webhooks: timeoutSeconds: HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT failurePolicy: HELMSUBST_VALIDATING_WEBHOOK_CHECK_IGNORE_FAILURE_POLICY --- -apiVersion: policy/v1beta1 +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: gatekeeper-controller-manager diff --git a/cmd/build/helmify/main.go b/cmd/build/helmify/main.go index 0bb8157b825..697e53d3052 100644 --- a/cmd/build/helmify/main.go +++ b/cmd/build/helmify/main.go @@ -142,11 +142,7 @@ func (ks *kindSet) Write() error { } if name == "gatekeeper-controller-manager" && kind == "PodDisruptionBudget" { - obj = strings.Replace(obj, "apiVersion: policy/v1beta1", "{{- $v1 := .Capabilities.APIVersions.Has \"policy/v1/PodDisruptionBudget\" -}}\n{{- $v1beta1 := .Capabilities.APIVersions.Has \"policy/v1beta1/PodDisruptionBudget\" -}}\napiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }}", 1) - } - - if name == "gatekeeper-admin" && kind == "PodSecurityPolicy" { - obj = "{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has \"policy/v1beta1/PodSecurityPolicy\") }}\n" + obj + "{{- end }}\n" + obj = strings.Replace(obj, "apiVersion: policy/v1", "{{- $v1 := .Capabilities.APIVersions.Has \"policy/v1/PodDisruptionBudget\" -}}\n{{- $v1beta1 := .Capabilities.APIVersions.Has \"policy/v1beta1/PodDisruptionBudget\" -}}\napiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }}", 1) } if name == "gatekeeper-manager-role" && kind == "ClusterRole" { diff --git a/config/rbac/podsecuritypolicy.yaml b/cmd/build/helmify/static/templates/gatekeeper-admin-podsecuritypolicy.yaml similarity index 60% rename from config/rbac/podsecuritypolicy.yaml rename to cmd/build/helmify/static/templates/gatekeeper-admin-podsecuritypolicy.yaml index adaca8199b8..398b1460077 100644 --- a/config/rbac/podsecuritypolicy.yaml +++ b/cmd/build/helmify/static/templates/gatekeeper-admin-podsecuritypolicy.yaml @@ -1,9 +1,16 @@ +{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: admin annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-admin spec: allowPrivilegeEscalation: false fsGroup: @@ -28,3 +35,4 @@ spec: - secret - downwardAPI - emptyDir +{{- end }} diff --git a/cmd/build/helmify/static/templates/namespace-post-install.yaml b/cmd/build/helmify/static/templates/namespace-post-install.yaml index d0b0cceb6ab..25f2d2b2ae4 100644 --- a/cmd/build/helmify/static/templates/namespace-post-install.yaml +++ b/cmd/build/helmify/static/templates/namespace-post-install.yaml @@ -48,8 +48,15 @@ spec: - {{ . }} {{- end }} - admission.gatekeeper.sh/ignore=no-self-managing + {{- range .Values.postInstall.labelNamespace.podSecurity }} + - {{ . }} + {{- end }} - --overwrite securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} {{- toYaml .Values.postInstall.securityContext | nindent 12 }} --- apiVersion: v1 diff --git a/cmd/build/helmify/static/templates/namespace-post-upgrade.yaml b/cmd/build/helmify/static/templates/namespace-post-upgrade.yaml index 082e839951b..f76fad5704c 100644 --- a/cmd/build/helmify/static/templates/namespace-post-upgrade.yaml +++ b/cmd/build/helmify/static/templates/namespace-post-upgrade.yaml @@ -40,6 +40,9 @@ spec: - {{ . }} {{- end }} - admission.gatekeeper.sh/ignore=no-self-managing + {{- range .Values.postInstall.labelNamespace.podSecurity }} + - {{ . }} + {{- end }} - --overwrite securityContext: {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} diff --git a/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml b/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml index 54a6eb0729a..3675483482b 100644 --- a/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml +++ b/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml @@ -99,6 +99,10 @@ spec: resources: {{- toYaml .Values.crds.resources | nindent 10 }} securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} {{- toYaml .Values.crds.securityContext | nindent 10 }} affinity: {{- toYaml .Values.upgradeCRDs.affinity | nindent 8 }} diff --git a/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml b/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml index 4530cc0f576..9b97415b6a3 100644 --- a/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml +++ b/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml @@ -43,6 +43,10 @@ spec: - mutatingwebhookconfiguration/gatekeeper-mutating-webhook-configuration {{- end }} securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} {{- toYaml .Values.preUninstall.securityContext | nindent 10 }} --- apiVersion: v1 diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 9d49151d469..1d4968fb6f0 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -38,6 +38,12 @@ postUpgrade: pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24"] securityContext: allowPrivilegeEscalation: false capabilities: @@ -57,6 +63,12 @@ postInstall: pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24"] probeWebhook: enabled: true image: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 5e27d0f03dd..cf56e316921 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -4,6 +4,12 @@ metadata: labels: control-plane: controller-manager admission.gatekeeper.sh/ignore: no-self-managing + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: v1.24 name: system --- apiVersion: apps/v1 @@ -22,8 +28,6 @@ spec: replicas: 3 template: metadata: - annotations: - container.seccomp.security.alpha.kubernetes.io/manager: runtime/default labels: control-plane: controller-manager gatekeeper.sh/operation: webhook @@ -104,9 +108,11 @@ spec: runAsGroup: 999 runAsNonRoot: true allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault capabilities: drop: - - all + - ALL terminationGracePeriodSeconds: 60 nodeSelector: kubernetes.io/os: linux @@ -131,8 +137,6 @@ spec: labels: control-plane: audit-controller gatekeeper.sh/operation: audit - annotations: - container.seccomp.security.alpha.kubernetes.io/manager: runtime/default spec: automountServiceAccountToken: true containers: @@ -199,10 +203,12 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL runAsGroup: 999 runAsNonRoot: true runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: gatekeeper-admin terminationGracePeriodSeconds: 60 nodeSelector: diff --git a/config/pdb/pdb.yaml b/config/pdb/pdb.yaml index 52c79ff24cc..ff78d145bb3 100644 --- a/config/pdb/pdb.yaml +++ b/config/pdb/pdb.yaml @@ -1,4 +1,4 @@ -apiVersion: policy/v1beta1 +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: controller-manager diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 4181c28d62a..9447afdb33b 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -2,7 +2,6 @@ resources: - role.yaml - role_binding.yaml - service_account.yaml -- podsecuritypolicy.yaml # - leader_election_role.yaml # - leader_election_role_binding.yaml # Comment the following 3 lines if you want to disable diff --git a/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml b/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml index d0b0cceb6ab..25f2d2b2ae4 100644 --- a/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml +++ b/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml @@ -48,8 +48,15 @@ spec: - {{ . }} {{- end }} - admission.gatekeeper.sh/ignore=no-self-managing + {{- range .Values.postInstall.labelNamespace.podSecurity }} + - {{ . }} + {{- end }} - --overwrite securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} {{- toYaml .Values.postInstall.securityContext | nindent 12 }} --- apiVersion: v1 diff --git a/manifest_staging/charts/gatekeeper/templates/namespace-post-upgrade.yaml b/manifest_staging/charts/gatekeeper/templates/namespace-post-upgrade.yaml index 082e839951b..f76fad5704c 100644 --- a/manifest_staging/charts/gatekeeper/templates/namespace-post-upgrade.yaml +++ b/manifest_staging/charts/gatekeeper/templates/namespace-post-upgrade.yaml @@ -40,6 +40,9 @@ spec: - {{ . }} {{- end }} - admission.gatekeeper.sh/ignore=no-self-managing + {{- range .Values.postInstall.labelNamespace.podSecurity }} + - {{ . }} + {{- end }} - --overwrite securityContext: {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} diff --git a/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml b/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml index 54a6eb0729a..3675483482b 100644 --- a/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml +++ b/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml @@ -99,6 +99,10 @@ spec: resources: {{- toYaml .Values.crds.resources | nindent 10 }} securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} {{- toYaml .Values.crds.securityContext | nindent 10 }} affinity: {{- toYaml .Values.upgradeCRDs.affinity | nindent 8 }} diff --git a/manifest_staging/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml b/manifest_staging/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml index 4530cc0f576..9b97415b6a3 100644 --- a/manifest_staging/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml +++ b/manifest_staging/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml @@ -43,6 +43,10 @@ spec: - mutatingwebhookconfiguration/gatekeeper-mutating-webhook-configuration {{- end }} securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} {{- toYaml .Values.preUninstall.securityContext | nindent 10 }} --- apiVersion: v1 diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 9d49151d469..1d4968fb6f0 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -38,6 +38,12 @@ postUpgrade: pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24"] securityContext: allowPrivilegeEscalation: false capabilities: @@ -57,6 +63,12 @@ postInstall: pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24"] probeWebhook: enabled: true image: diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml index 436ae279913..55a0311a149 100644 --- a/manifest_staging/deploy/gatekeeper.yaml +++ b/manifest_staging/deploy/gatekeeper.yaml @@ -5,6 +5,12 @@ metadata: admission.gatekeeper.sh/ignore: no-self-managing control-plane: controller-manager gatekeeper.sh/system: "yes" + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: v1.24 + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest name: gatekeeper-system --- apiVersion: v1 @@ -2123,39 +2129,6 @@ metadata: name: gatekeeper-admin namespace: gatekeeper-system --- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-admin -spec: - allowPrivilegeEscalation: false - fsGroup: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - requiredDropCapabilities: - - ALL - runAsUser: - rule: MustRunAsNonRoot - seLinux: - rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - configMap - - projected - - secret - - downwardAPI - - emptyDir ---- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -2419,8 +2392,6 @@ spec: gatekeeper.sh/system: "yes" template: metadata: - annotations: - container.seccomp.security.alpha.kubernetes.io/manager: runtime/default labels: control-plane: audit-controller gatekeeper.sh/operation: audit @@ -2483,11 +2454,13 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true runAsUser: 1000 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /certs name: cert @@ -2525,8 +2498,6 @@ spec: gatekeeper.sh/system: "yes" template: metadata: - annotations: - container.seccomp.security.alpha.kubernetes.io/manager: runtime/default labels: control-plane: controller-manager gatekeeper.sh/operation: webhook @@ -2604,11 +2575,13 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true runAsUser: 1000 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /certs name: cert @@ -2624,7 +2597,7 @@ spec: defaultMode: 420 secretName: gatekeeper-webhook-server-cert --- -apiVersion: policy/v1beta1 +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: labels: diff --git a/test/externaldata/dummy-provider/manifest/deployment.yaml b/test/externaldata/dummy-provider/manifest/deployment.yaml index ea8e4a69cb8..a98d95dfcfd 100644 --- a/test/externaldata/dummy-provider/manifest/deployment.yaml +++ b/test/externaldata/dummy-provider/manifest/deployment.yaml @@ -24,6 +24,17 @@ spec: - name: gatekeeper-ca-cert mountPath: /tmp/gatekeeper readOnly: true + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault restartPolicy: Always nodeSelector: kubernetes.io/os: linux