Test running viking-service Pods as non-root using helm.

Addresses #38

Test running viking-service Pods as non-root using helm.
Addresses #38
c33e68a6 · Geoff Simmons · 276d6f1a · c33e68a6 · c33e68a6 · c33e68a6
Commit c33e68a6 authored Oct 02, 2020 by Geoff Simmons
Showing with 66 additions and 12 deletions

values.yaml charts/viking-service/values.yaml +10 -0

Makefile examples/varnish_pod_template/Makefile +30 -12

values-nonroot-varnish.yaml examples/varnish_pod_template/values-nonroot-varnish.yaml +26 -0

No files found.
--- a/charts/viking-service/values.yaml
+++ b/charts/viking-service/values.yaml
@@ -68,6 +68,16 @@ vikingService:
    # The varnish and haproxy users belong to this group.
    fsGroup: 998

+    # Set runAsUser:102 to start containers in the varnish/haproxy Pod
+    # as nonroot.  This capability is provided for deployments where
+    # policy dictates it, but it is *not* advisable. Both of varnish
+    # and haproxy in master/worker mode run with adequate privilege
+    # separation. haproxy as nonroot is *less* secure, because chroot
+    # is impossible. varnish as nonroot is unable to do some things
+    # that should be preferred, such as mlock shared memory.
+
+    # runAsUser: 102
+
  ## Annotations to be added to the controller deployment
  ##
  annotations: {}

--- a/examples/varnish_pod_template/Makefile
+++ b/examples/varnish_pod_template/Makefile
@@ -82,6 +82,10 @@ endif

 all: deploy

+deploy-cafe-helm:
+	@helm install viking-ingress-cafe $(CHARTDIR)/viking-test-app \
+		--values values.yaml
+
 deploy-cli-args-helm:
 	@helm install viking-service-cli-args $(CHARTDIR)/viking-service \
 		--values values-cli-args-varnish.yaml \
@@ -91,8 +95,7 @@ deploy-cli-args-helm:
 		--set vikingService.varnish.image.tag=$(VARNISH_TAG) \
 		--set vikingService.haproxy.image.repository=$(HAPROXY_IMAGE) \
 		--set vikingService.haproxy.image.tag=$(HAPROXY_TAG)
-	@helm install viking-ingress-cli-args $(CHARTDIR)/viking-test-app \
-		--values values.yaml
+	$(MAKE) deploy-cafe-helm

 deploy-proxy-helm:
 	@helm install viking-service-proxy $(CHARTDIR)/viking-service \
@@ -103,8 +106,7 @@ deploy-proxy-helm:
 		--set vikingService.varnish.image.tag=$(VARNISH_TAG) \
 		--set vikingService.haproxy.image.repository=$(HAPROXY_IMAGE) \
 		--set vikingService.haproxy.image.tag=$(HAPROXY_TAG)
-	@helm install viking-ingress-proxy $(CHARTDIR)/viking-test-app \
-		--values values.yaml
+	$(MAKE) deploy-cafe-helm

 deploy-env-helm:
 	@helm install viking-service-env $(CHARTDIR)/viking-service \
@@ -115,8 +117,18 @@ deploy-env-helm:
 		--set vikingService.varnish.image.tag=$(VARNISH_TAG) \
 		--set vikingService.haproxy.image.repository=$(HAPROXY_IMAGE) \
 		--set vikingService.haproxy.image.tag=$(HAPROXY_TAG)
-	@helm install viking-ingress-env $(CHARTDIR)/viking-test-app \
-		--values values.yaml
+	$(MAKE) deploy-cafe-helm
+
+deploy-nonroot-helm:
+	@helm install viking-service-nonroot $(CHARTDIR)/viking-service \
+		--values values-nonroot-varnish.yaml \
+		--set vikingService.secrets.admin=$(shell $(GEN_SECRET)) \
+		--set vikingService.secrets.dataplaneapi=$(shell $(GEN_SECRET)) \
+		--set vikingService.varnish.image.repository=$(VARNISH_IMAGE) \
+		--set vikingService.varnish.image.tag=$(VARNISH_TAG) \
+		--set vikingService.haproxy.image.repository=$(HAPROXY_IMAGE) \
+		--set vikingService.haproxy.image.tag=$(HAPROXY_TAG)
+	$(MAKE) deploy-cafe-helm

 deploy-cafe-kubectl:
 	@kubectl apply -f ../hello/cafe.yaml
@@ -171,21 +183,25 @@ undeploy-nonroot-kubectl:
 	$(MAKE) undeploy-cafe-kubectl
 	$(TESTDIR)/wait_delete.sh app=varnish-ingress,example=nonroot

-undeploy-cli-args-helm:
-	@helm uninstall viking-ingress-cli-args
+undeploy-cafe-helm:
+	@helm uninstall viking-ingress-cafe
+
+undeploy-cli-args-helm: undeploy-cafe-helm
 	@helm uninstall viking-service-cli-args
 	$(TESTDIR)/wait_delete.sh app=varnish-ingress,example=cli-args

-undeploy-proxy-helm:
-	@helm uninstall viking-ingress-proxy
+undeploy-proxy-helm: undeploy-cafe-helm
 	@helm uninstall viking-service-proxy
 	$(TESTDIR)/wait_delete.sh app=varnish-ingress,example=proxy

-undeploy-env-helm:
-	@helm uninstall viking-ingress-env
+undeploy-env-helm: undeploy-cafe-helm
 	@helm uninstall viking-service-env
 	$(TESTDIR)/wait_delete.sh app=varnish-ingress,example=env

+undeploy-nonroot-helm: undeploy-cafe-helm
+	@helm uninstall viking-service-nonroot
+	$(TESTDIR)/wait_delete.sh app=varnish-ingress,example=nonroot
+
 ifeq ($(DEPLOY),kubectl)
 deploy-cli-args: deploy-cli-args-kubectl
 deploy-proxy: deploy-proxy-kubectl
@@ -199,9 +215,11 @@ else
 deploy-cli-args: deploy-cli-args-helm
 deploy-proxy: deploy-proxy-helm
 deploy-env: deploy-env-helm
+deploy-nonroot: deploy-nonroot-helm
 undeploy-cli-args: undeploy-cli-args-helm
 undeploy-proxy: undeploy-proxy-helm
 undeploy-env: undeploy-env-helm
+undeploy-nonroot: undeploy-nonroot-helm
 endif

 deploy verify undeploy:

--- a/examples/varnish_pod_template/values-nonroot-varnish.yaml
+++ b/examples/varnish_pod_template/values-nonroot-varnish.yaml
+nameOverride: pod-template-examples
+fullnameOverride: pod-template-examples
+vikingService:
+  varnish:
+    extraEnvs:
+    - name: HTTP_PORT
+      value: "8888"
+  podSecurityContext:
+    fsGroup: 998
+    runAsUser: 102
+
+  service:
+    ports:
+      http: 80
+      httpTarget: 8888
+
+  ## Name of the ingress class to route through this controller
+  ##
+  ingressClass: varnish
+
+  replicaCount: 1
+
+  # labels to add to the pod container metadata
+  podLabels:
+    app: varnish-ingress
+    example: nonroot