Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default security context settings for SpiceDB Operator #237

Closed
jawnsy opened this issue Aug 16, 2023 · 0 comments · Fixed by #238
Closed

Default security context settings for SpiceDB Operator #237

jawnsy opened this issue Aug 16, 2023 · 0 comments · Fixed by #238
Labels
area/security Affects security area/tooling Affects the dev or user toolchain priority/3 low This would be nice to have

Comments

@jawnsy
Copy link
Contributor

jawnsy commented Aug 16, 2023

Summary

Add security hardening for SpiceDB Operator deployment. Similar to #236, but for the operator instead of the deployments that the operator creates.

Background

The operator itself does not have any securityContext settings:

spicedb-operator/config/operator.yaml

Lines 31 to 63 in 715aed2

spec:
containers:
- args:
- run
- -v=4
- --crd=false
- --config
- /opt/operator/config.yaml
image: ghcr.io/authzed/spicedb-operator:latest
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 15
name: spicedb-operator
ports:
- containerPort: 8080
name: prometheus
protocol: TCP
readinessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
periodSeconds: 1
successThreshold: 1
timeoutSeconds: 15
terminationMessagePolicy: FallbackToLogsOnError
serviceAccountName: spicedb-operator

And it's running as root for some reason: https://explore.ggcr.dev/?blob=ghcr.io/authzed/spicedb-operator@sha256:48525acebb788bf6bdb4b64a8719185555210e8fc7904366ae7a281765c9ad7b&mt=application%2Fvnd.docker.container.image.v1%2Bjson&size=2519&manifest=ghcr.io/authzed/spicedb-operator@sha256:4e58cdf61d343a3ace7d0f5f94f1e97e858e6b6c7a02afcd58a6f0e8ce6e682f

I think building from distroless/base:nonroot should resolve this issue:

spicedb-operator/Dockerfile.release

Line 2 in 715aed2

FROM gcr.io/distroless/base

For the operator, I've applied the following patches via the Kustomization:

  patches:
    - target:
        kind: Deployment
        name: spicedb-operator
        namespace: spicedb-operator
      patch: |
        - op: replace
          path: /spec/template/spec/securityContext
          value:
            runAsUser: 65532
            runAsGroup: 65532
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
        - op: add
          path: /spec/template/spec/containers/0/securityContext
          value:
            runAsUser: 65532
            runAsGroup: 65532
            runAsNonRoot: true
            readOnlyRootFilesystem: true
            seccompProfile:
              type: RuntimeDefault
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
        - op: add
          path: /spec/template/spec/volumes
          value:
            - name: scratch
              emptyDir:
                sizeLimit: 512Mi
        - op: add
          path: /spec/template/spec/containers/0/volumeMounts
          value:
            - mountPath: /tmp
              name: scratch
              subPath: tmp

The resulting deployment looks like it runs okay:

    spec:
      containers:
          image: ghcr.io/authzed/spicedb-operator:v1.8.0
          name: spicedb-operator
          resources: {} # this should probably also be fixed
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: true
            runAsGroup: 65532
            runAsNonRoot: true
            runAsUser: 65532
            seccompProfile:
              type: RuntimeDefault
          volumeMounts:
            - mountPath: /tmp
              name: scratch
              subPath: tmp
      securityContext:
        runAsGroup: 65532
        runAsNonRoot: true
        runAsUser: 65532
        seccompProfile:
          type: RuntimeDefault
      serviceAccount: spicedb-operator
      serviceAccountName: spicedb-operator
      terminationGracePeriodSeconds: 30
      volumes:
        - emptyDir:
            sizeLimit: 512Mi
          name: scratch
jawnsy added a commit to jawnsy/spicedb-operator that referenced this issue Aug 16, 2023
@jawnsy
Add security context for SpiceDB Operator
f38ca27 
Closes: authzed#237

Signed-off-by: Jonathan Yu <[email protected]>
@jawnsy jawnsy mentioned this issue Aug 16, 2023
Merged
@jzelinskie jzelinskie added area/security Affects security area/tooling Affects the dev or user toolchain priority/3 low This would be nice to have labels Aug 16, 2023
jawnsy added a commit to jawnsy/spicedb-operator that referenced this issue Aug 16, 2023
@jawnsy
Build from distroless/base:nonroot
7a165de 
Switch from the default distroless image (which runs as root) to
the distroless image (which runs as uid 65532)

Related to authzed#237

Signed-off-by: Jonathan Yu <[email protected]>
@jawnsy jawnsy mentioned this issue Aug 16, 2023
Merged
jawnsy added a commit to jawnsy/spicedb-operator that referenced this issue Aug 18, 2023
@jawnsy
Add security context for SpiceDB Operator
991e93a 
Closes: authzed#237

Signed-off-by: Jonathan Yu <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security Affects security area/tooling Affects the dev or user toolchain priority/3 low This would be nice to have
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add security context for SpiceDB Operator jawnsy/spicedb-operator
2 participants
@jawnsy @jzelinskie