Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need the possibility to set a securityContext for both pod and container for all deployments (pega, srs, clustering-service, etc.) #761

Open
rbogendoerfer opened this issue May 27, 2024 · 2 comments
Open

Need the possibility to set a securityContext for both pod and container for all deployments (pega, srs, clustering-service, etc.) #761

rbogendoerfer opened this issue May 27, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@rbogendoerfer
Copy link

rbogendoerfer commented May 27, 2024
edited
Loading

Is your feature request related to a problem? Please describe.
Many clients require that the security settings for Kubernetes deployments are very strict. One example is setting the Pod Security Admission to restricted:

apiVersion: v1
kind: Namespace
metadata:
  name: pega
  labels:
    kubernetes.io/metadata.name: pega
    pod-security.kubernetes.io/enforce: restricted

Running the default deployment with those settings will result in an error message and prevent the deployment from starting:

W0527 15:11:19.454889  105539 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "srs-service" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "srs-service" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "srs-service" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "srs-service" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Describe the solution you'd like
For all deployments (pega tiers, srs, pega-hazelcast/clustering-service, Constellation appstatic and messaging, etc.) it should be possible to specify a securityContext for the pod (this is already in place for many deployments) and for the container!

Example:

    - name: "web"
      ...
      securityContext:
        runAsUser: 9001
        fsGroup: 0

      containerSecurityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - ALL
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault

Describe alternatives you've considered
The only alternative that I can think of is downloading the helm charts and modifying the deployment templates.
@rbogendoerfer rbogendoerfer added the enhancement New feature or request label May 27, 2024
@kishorv10
Copy link
Contributor

kishorv10 commented May 28, 2024
edited
Loading

Hi, @rbogendoerfer #750 delivers most of the required functionality. Kindly check the latest helm charts & let us know if you have further questions.

@rbogendoerfer
Copy link
Author

Hi @kishorv10 , #750 only provides the possibility to set the securityContext at the pod level, but not at the container level. Certain security restrictions (e.g. capabilities.drop "ALL") must be set at the container level. Hence the option to set the securityContext for containers is required.

This was linked to pull requests Jul 17, 2024
US-625432 Allow to configure securityContext for Pega containers #785
Closed
US-625432 Configure securityContext for Pega containers #789
Merged
@MadhuriArugula MadhuriArugula removed a link to a pull request Jul 22, 2024
US-625432 Configure securityContext for Pega containers #789
Merged
rbogendoerfer added a commit to rbogendoerfer/pega-helm-charts that referenced this issue Sep 9, 2024
@rbogendoerfer
ISSUE-761: Add containerSecurityPolicy to clustering-service deployment
1256f6f 
(pegasystems#761)
rbogendoerfer added a commit to rbogendoerfer/pega-helm-charts that referenced this issue Sep 9, 2024
@rbogendoerfer
ISSUE-761: Add securityPolicy and containerSecurityPolicy to SRS depl…
d6cdd6d 
…oyment

(pegasystems#761)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

US-625432 Allow to configure securityContext for Pega containers MadhuriArugula/pega-helm-charts
2 participants
@kishorv10 @rbogendoerfer