NVSHAS-8497: Run controller in non-priv mode

Author: becitsthere

charts/core/templates/controller-deployment.yaml

@@ -1,3 +1,4 @@
+{{- $pre530 := (semverCompare "<5.2.10" .Values.tag) -}}
 {{- if .Values.controller.enabled -}}
 {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
 apiVersion: apps/v1
@@ -96,8 +97,13 @@ spec:
           {{- end }}
           {{- end }}
           {{- end }}
+          {{- if $pre530 }}
           securityContext:
             privileged: true
+          {{- else }}
+          securityContext:
+            runAsUser: 0
+          {{- end }}
           resources:
           {{- if .Values.controller.resources }}
 {{ toYaml .Values.controller.resources | indent 12 }}
@@ -153,6 +159,7 @@ spec:
               name: nv-share
               readOnly: false
           {{- end }}
+          {{- if $pre530 }}
           {{- if .Values.containerd.enabled }}
             - mountPath: /var/run/containerd/containerd.sock
           {{- else if .Values.k3s.enabled }}
@@ -172,6 +179,7 @@ spec:
             - mountPath: /host/cgroup
               name: cgroup-vol
               readOnly: true
+          {{- end }}
             - mountPath: /etc/config
               name: config-volume
               readOnly: true
@@ -224,6 +232,7 @@ spec:
             readOnly: false
         {{- end }}
         {{- end }}
+        {{- if $pre530 }}
         - name: runtime-sock
           hostPath:
           {{- if .Values.containerd.enabled }}
@@ -243,6 +252,7 @@ spec:
         - name: cgroup-vol
           hostPath:
             path: /sys/fs/cgroup
+        {{- end }}
         - name: config-volume
           projected:
             sources:

charts/core/templates/enforcer-daemonset.yaml

@@ -1,3 +1,4 @@
+{{- $pre530 := (semverCompare "<5.2.10" .Values.tag) -}}
 {{- if .Values.enforcer.enabled -}}
 {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
 apiVersion: apps/v1
@@ -91,6 +92,7 @@ spec:
 {{- toYaml . | nindent 12 }}
           {{- end }}
           volumeMounts:
+          {{- if $pre530 }}
           {{- if .Values.containerd.enabled }}
             - mountPath: /var/run/containerd/containerd.sock
           {{- else if .Values.k3s.enabled }}
@@ -110,6 +112,7 @@ spec:
             - mountPath: /host/cgroup
               name: cgroup-vol
               readOnly: true
+          {{- end }}
             - mountPath: /lib/modules
               name: modules-vol
               readOnly: true
@@ -133,6 +136,7 @@ spec:
       terminationGracePeriodSeconds: 1200
       restartPolicy: Always
       volumes:
+      {{- if $pre530 }}
         - name: runtime-sock
           hostPath:
           {{- if .Values.containerd.enabled }}
@@ -152,6 +156,7 @@ spec:
         - name: cgroup-vol
           hostPath:
             path: /sys/fs/cgroup
+      {{- end }}
         - name: modules-vol
           hostPath:
             path: /lib/modules

charts/core/templates/psp.yaml

@@ -72,9 +72,6 @@ roleRef:
   name: neuvector-binding-psp
 subjects:
 {{- if .Values.leastPrivilege }}
-- kind: ServiceAccount
-  name: controller
-  namespace: {{ .Release.Namespace }}
 - kind: ServiceAccount
   name: enforcer
   namespace: {{ .Release.Namespace }}
@@ -83,4 +80,81 @@ subjects:
   name: {{ .Values.serviceAccount }}
   namespace: {{ .Release.Namespace }}
 {{- end }}
+
+{{- if .Values.leastPrivilege }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: neuvector-binding-psp-controller
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    heritage: Helm
+    release: {{ .Release.Name }}
+spec:
+  privileged: false
+  readOnlyRootFilesystem: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities: null
+  requiredDropCapabilities:
+  - ALL
+  volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - persistentVolumeClaim
+  - azureFile
+  - projected
+  - secret
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: neuvector-binding-psp-controller
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    heritage: Helm
+    release: {{ .Release.Name }}
+rules:
+- apiGroups:
+  - policy
+  - extensions
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - neuvector-binding-psp-controller
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: neuvector-binding-psp-controller
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    heritage: Helm
+    release: {{ .Release.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: neuvector-binding-psp-controller
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+
 {{- end }}

charts/core/templates/rolebinding-least.yaml

@@ -62,15 +62,6 @@ subjects:
 - kind: ServiceAccount
   name: controller
   namespace: {{ .Release.Namespace }}
-- kind: ServiceAccount
-  name: enforcer
-  namespace: {{ .Release.Namespace }}
-- kind: ServiceAccount
-  name: scanner
-  namespace: {{ .Release.Namespace }}
-- kind: ServiceAccount
-  name: registry-adapter
-  namespace: {{ .Release.Namespace }}
 {{- if $oc3 }}
 userNames:
 - system:serviceaccount:{{ .Release.Namespace }}:controller
@@ -94,10 +85,85 @@ roleRef:
   name: system:openshift:scc:privileged
 subjects:
 - kind: ServiceAccount
-  name: controller
+  name: enforcer
   namespace: {{ .Release.Namespace }}
+
+---
+
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+allowedCapabilities: null
+apiVersion: security.openshift.io/v1
+defaultAddCapabilities: null
+fsGroup:
+  type: RunAsAny
+groups: []
+kind: SecurityContextConstraints
+metadata:
+  name: neuvector-scc-controller
+priority: null
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- ALL
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+users: []
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- persistentVolumeClaim
+- azureFile
+- projected
+- secret
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:openshift:scc:neuvector-scc-controller
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: Helm
+rules:
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - neuvector-scc-controller
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: system:openshift:scc:neuvector-scc-controller
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:neuvector-scc-controller
+subjects:
 - kind: ServiceAccount
-  name: enforcer
+  name: controller
   namespace: {{ .Release.Namespace }}
 {{- end }}
 {{- end }}

test/deployment_test.go

@@ -30,6 +30,63 @@ func TestControllerDeployment(t *testing.T) {
 	}
 }
 
+func TestControllerDeploymentPre53(t *testing.T) {
+	helmChartPath := "../charts/core"
+
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"tag": "5.2.4",
+		},
+	}
+
+	// Test ingress
+	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/controller-deployment.yaml"})
+	outs := splitYaml(out)
+
+	if len(outs) != 1 {
+		t.Errorf("Resource count is wrong. count=%v\n", len(outs))
+	}
+
+	var dep appsv1.Deployment
+	helm.UnmarshalK8SYaml(t, outs[0], &dep)
+	if dep.Spec.Template.Spec.Containers[0].VolumeMounts[0].Name != "runtime-sock" {
+		t.Errorf("VolumeMounts[0] is wrong, %v\n", dep.Spec.Template.Spec.Containers[0].VolumeMounts[0])
+	}
+	if *dep.Spec.Template.Spec.Containers[0].SecurityContext.Privileged != true {
+		t.Errorf("Privileged is wrong, %v\n", *dep.Spec.Template.Spec.Containers[0].SecurityContext.Privileged)
+	}
+}
+
+func TestControllerDeploymentPost53(t *testing.T) {
+	helmChartPath := "../charts/core"
+
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"tag": "5.3.0",
+		},
+	}
+
+	// Test ingress
+	out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/controller-deployment.yaml"})
+	outs := splitYaml(out)
+
+	if len(outs) != 1 {
+		t.Errorf("Resource count is wrong. count=%v\n", len(outs))
+	}
+
+	var dep appsv1.Deployment
+	helm.UnmarshalK8SYaml(t, outs[0], &dep)
+	if dep.Spec.Template.Spec.Containers[0].VolumeMounts[0].Name != "config-volume" {
+		t.Errorf("VolumeMounts[0] is wrong, %v\n", dep.Spec.Template.Spec.Containers[0].VolumeMounts[0])
+	}
+	if dep.Spec.Template.Spec.Containers[0].SecurityContext.Privileged != nil {
+		t.Errorf("SecurityContext.Privileged should be nil\n")
+	}
+	if *dep.Spec.Template.Spec.Containers[0].SecurityContext.RunAsUser != 0 {
+		t.Errorf("SecurityContext.RunAsUser should be 0\n")
+	}
+}
+
 func TestControllerDeploymentRegistry(t *testing.T) {
 	helmChartPath := "../charts/core"