Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve the securityContext recommendation to run each Pod using a unique UID. #230

Open
marcofranssen opened this issue Feb 1, 2024 · 1 comment
Open

Improve the securityContext recommendation to run each Pod using a unique UID. #230

marcofranssen opened this issue Feb 1, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@marcofranssen
Copy link
Collaborator

marcofranssen commented Feb 1, 2024
edited
Loading

To improve the security of the SPIFFE pods it would be great if we can adjust the securityContext recommendation to run with a unique UID.

Checking many out of the box installations of other charts they are using runAsUser: 1000, therefore we should pick some UIDs that are not that commonly used to reduce the chance there is potential overlap with other pods in the cluster.

See below my setup to configure the podSecurityContext for each component.

global:
  spire:
    recommendations:
      enabled: true
      namespaceLayout: true
      namespacePSS: true
      priorityClassName: true
      strictMode: true
      securityContexts: true

spire-server:
  podSecurityContext:
    runAsUser: 20000
    runAsGroup: 20000
    fsGroup: 20000

spiffe-csi-driver:
  podSecurityContext:
    runAsUser: 20001
    runAsGroup: 20001
    fsGroup: 20001

spire-agent:
  podSecurityContext:
    runAsUser: 20002
    runAsGroup: 20002
    fsGroup: 20002

spiffe-oidc-discovery-provider:
  podSecurityContext:
    runAsUser: 20003
    runAsGroup: 20003
    fsGroup: 20003

Note

We should decide on a range of UIDs to use for spire pods, so don't take above example as leading.

I also noticed the spiffe-csi-driver doesn't have a podSecurityContext.

Tried adding that.

      securityContext:
        {{- toYaml $podSecurityContext | nindent 8 }}

this unfortunately breaks the csi driver.

See

2024-02-01T10:57:23.171Z	INFO	spiffe-csi-driver/main.go:45	Starting.	{"version": "0.2.3", "nodeID": "ip-10-2-13-145.eu-west-1.compute.internal", "workloadAPISocketDir": "/spire-agent-socket", "csiSocketPath": "/spiffe-csi/csi.sock"}
2024-02-01T10:57:23.171Z	ERROR	server/server.go:33	Unable to remove CSI socket	{"error": "remove /spiffe-csi/csi.sock: permission denied"}
github.com/spiffe/spiffe-csi/pkg/server.Run
	/code/pkg/server/server.go:33
main.main
	/code/cmd/spiffe-csi-driver/main.go:69
runtime.main
	/usr/local/go/src/runtime/proc.go:250
2024-02-01T10:57:23.172Z	ERROR	spiffe-csi-driver/main.go:70	Failed to serve	{"error": "unable to create CSI socket listener: listen unix /spiffe-csi/csi.sock: bind: address already in use"}
main.main
	/code/cmd/spiffe-csi-driver/main.go:70
runtime.main
	/usr/local/go/src/runtime/proc.go:250

Would it be possible to make this work with a podSecurityContext?
@marcofranssen marcofranssen added the enhancement New feature or request label Feb 1, 2024
@kfox1111
Copy link
Collaborator

kfox1111 commented Feb 2, 2024

Some more notes on this...

OpenShift allocates unique uids to each namespace out of the box. So we're kind of supporting this model already in some environments. So it should be possible to make it work more widely.

The csi-driver is very special. It needs to interact with kubelet so uid switching is tricky. If wrong it cant write to the host filesystem or kubelet sockets properly.

The spire-agent to some extent is in the same boat.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcofranssen @kfox1111