From 96cca2ee995424580fdc0d25d695a030b3b3330c Mon Sep 17 00:00:00 2001 From: Adrian Wyssmann Date: Fri, 24 Jan 2025 12:41:34 +0100 Subject: [PATCH 1/2] feat: Make securityContext configurable Also extend with seccompProfile and capabilities as defaults --- .../templates/_helpers.tpl | 4 +- .../templates/executor-deployment.yaml | 26 ++++---- .../templates/job-controller-deployment.yaml | 26 ++++---- .../values.yaml | 64 +++++++++++++++++++ 4 files changed, 96 insertions(+), 24 deletions(-) diff --git a/helm-charts/falcon-self-hosted-registry-assessment/templates/_helpers.tpl b/helm-charts/falcon-self-hosted-registry-assessment/templates/_helpers.tpl index 4139c6e8..49ae2dc7 100644 --- a/helm-charts/falcon-self-hosted-registry-assessment/templates/_helpers.tpl +++ b/helm-charts/falcon-self-hosted-registry-assessment/templates/_helpers.tpl @@ -13,11 +13,11 @@ If release name contains chart name it will be used as a full name. {{- define "ra-self-hosted.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 40 | trimSuffix "-" }} -{{- else }} +{{- else -}} {{- $name := default "shra" .Values.nameOverride }} {{- if contains $name .Release.Name }} {{- .Release.Name | trunc 40 | trimSuffix "-" }} -{{- else }} +{{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }} {{- end }} {{- end }} diff --git a/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml b/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml index da06da21..fbf60903 100644 --- a/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml +++ b/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml @@ -23,7 +23,11 @@ spec: spec: serviceAccountName: {{ include "ra-self-hosted-executor.fullname" . }} securityContext: - fsGroup: 2001 +{{ if .Values.executor.podSecurityContext -}} +{{ .Values.executor.podSecurityContext | toYaml | indent 8 }} +{{- else -}} +{{ .Values.podSecurityContext | toYaml | indent 8 }} +{{- end }} {{- if or (.Values.executor.image.pullSecret) (.Values.executor.image.registryConfigJSON) }} imagePullSecrets: {{ if .Values.executor.image.registryConfigJSON }} @@ -89,11 +93,11 @@ spec: {{ .Values.executor.resources | toYaml | indent 12 }} {{- end }} securityContext: - runAsUser: 1001 - runAsGroup: 2001 - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false +{{ if .Values.executor.securityContext }} +{{ .Values.executor.securityContext | toYaml | indent 12 }} +{{- else -}} +{{ .Values.securityContext | toYaml | indent 12 }} +{{- end }} containers: - name: executor image: {{ include "ra-self-hosted-executor.image" . }} @@ -152,11 +156,11 @@ spec: {{ .Values.executor.resources | toYaml | indent 12 }} {{- end }} securityContext: - runAsUser: 1001 - runAsGroup: 2001 - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false +{{ if .Values.executor.securityContext }} +{{ .Values.executor.securityContext | toYaml | indent 19 }} +{{- else -}} +{{ .Values.securityContext | toYaml | indent 12 }} +{{- end }} {{- if .Values.executor.nodeSelector }} nodeSelector: {{- .Values.executor.nodeSelector | toYaml | nindent 8 }} diff --git a/helm-charts/falcon-self-hosted-registry-assessment/templates/job-controller-deployment.yaml b/helm-charts/falcon-self-hosted-registry-assessment/templates/job-controller-deployment.yaml index 7bd55458..65309724 100644 --- a/helm-charts/falcon-self-hosted-registry-assessment/templates/job-controller-deployment.yaml +++ b/helm-charts/falcon-self-hosted-registry-assessment/templates/job-controller-deployment.yaml @@ -19,7 +19,11 @@ spec: checksum/config: {{ include (print $.Template.BasePath "/job-controller-configmap.yaml") . | sha256sum }} spec: securityContext: - fsGroup: 2001 +{{ if .Values.jobController.podSecurityContext -}} +{{ .Values.jobController.podSecurityContext | toYaml | indent 8 }} +{{- else -}} +{{ .Values.podSecurityContext | toYaml | indent 8 }} +{{- end }} {{- if or (.Values.jobController.image.pullSecret) (.Values.jobController.image.registryConfigJSON) }} imagePullSecrets: {{ if .Values.jobController.image.registryConfigJSON }} @@ -73,11 +77,11 @@ spec: name: tls {{- end }} securityContext: - runAsUser: 1001 - runAsGroup: 2001 - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false +{{ if .Values.jobController.securityContext }} +{{ .Values.jobController.securityContext | toYaml | indent 12 }} +{{- else -}} +{{ .Values.securityContext | toYaml | indent 12 }} +{{- end }} containers: - name: job-controller image: {{ include "ra-self-hosted-job-controller.image" . }} @@ -131,11 +135,11 @@ spec: name: tls {{- end }} securityContext: - runAsUser: 1001 - runAsGroup: 2001 - runAsNonRoot: true - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false +{{ if .Values.jobController.securityContext }} +{{ .Values.jobController.securityContext | toYaml | indent 12 }} +{{- else -}} +{{ .Values.securityContext | toYaml | indent 12 }} +{{- end }} {{- if .Values.jobController.nodeSelector }} nodeSelector: {{- .Values.jobController.nodeSelector | toYaml | nindent 8 }} diff --git a/helm-charts/falcon-self-hosted-registry-assessment/values.yaml b/helm-charts/falcon-self-hosted-registry-assessment/values.yaml index 44c2f744..421b3d73 100644 --- a/helm-charts/falcon-self-hosted-registry-assessment/values.yaml +++ b/helm-charts/falcon-self-hosted-registry-assessment/values.yaml @@ -4,6 +4,26 @@ nameOverride: "" fullnameOverride: "" +podSecurityContext: + runAsUser: 1001 + runAsGroup: 2001 + fsGroup: 2001 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + +securityContext: + runAsUser: 1001 + runAsGroup: 2001 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + executor: replicaCount: 1 image: @@ -47,6 +67,28 @@ executor: accessModes: - ReadWriteOnce + # Use to override the global podSecurityContext + # podSecurityContext: + # runAsUser: 1001 + # runAsGroup: 2001 + # fsGroup: 2001 + # runAsNonRoot: true + # seccompProfile: + # type: RuntimeDefault + + # Use to override the global securityContext + # securityContext: + # runAsUser: 1001 + # runAsGroup: 2001 + # runAsNonRoot: true + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # seccompProfile: + # type: RuntimeDefault + # capabilities: + # drop: + # - ALL + logLevel: 3 # log level to be set for the service (1:error, 2:warning, 3:info, 4:debug) catalogPerPageRate: 100 # page size per catalog request @@ -169,6 +211,28 @@ jobController: additionalSecretEnvFrom: [] + # Use to override the global podSecurityContext + # podSecurityContext: + # runAsUser: 1001 + # runAsGroup: 2001 + # fsGroup: 2001 + # runAsNonRoot: true + # seccompProfile: + # type: RuntimeDefault + + # Use to override the global securityContext + # securityContext: + # runAsUser: 1001 + # runAsGroup: 2001 + # runAsNonRoot: true + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # seccompProfile: + # type: RuntimeDefault + # capabilities: + # drop: + # - ALL + crowdstrikeConfig: region: "autodiscovery" # autodiscovery, us-1, us-2, eu-1, gov1, or gov2 clientID: "" From 68a5c8446cfd3d2f362d9e7715f4fbd02b2db9cd Mon Sep 17 00:00:00 2001 From: Adrian Wyssmann Date: Mon, 27 Jan 2025 13:37:53 +0100 Subject: [PATCH 2/2] feat: Allow define crowdstrike credentials via secret --- .../README.md | 1 + .../templates/executor-deployment.yaml | 22 +++++++++++++++---- .../values.yaml | 1 + 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/helm-charts/falcon-self-hosted-registry-assessment/README.md b/helm-charts/falcon-self-hosted-registry-assessment/README.md index 74456838..e515c1dc 100644 --- a/helm-charts/falcon-self-hosted-registry-assessment/README.md +++ b/helm-charts/falcon-self-hosted-registry-assessment/README.md @@ -250,6 +250,7 @@ crowdstrikeConfig: |:------------------------------------|-----------|:------------------------------------------------------------------------------------------------------|:----------| | `crowdstrikeConfig.clientID` | required | The client ID used to authenticate the self-hosted registry assessment service with CrowdStrike. | "" | | `crowdstrikeConfig.clientSecret` | required | The client secret used to authenticate the self-hosted registry assessment service with CrowdStrike. | "" | +| `crowdstrikeConfig.clientSecretRef` | optional | Refernce to a secret which contains `clientID` (`CLIENT_ID`) and `clientSecret` (`CLIENT_SECRET`). | "" #### Option 2. Configure your CrowdStrike credentials using Kubernetes secrets or configmaps diff --git a/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml b/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml index fbf60903..bc32a58a 100644 --- a/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml +++ b/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml @@ -49,6 +49,7 @@ spec: - name: "REGION" value: {{ .Values.crowdstrikeConfig.region }} {{- if .Values.crowdstrikeConfig.clientID }} + {{ if not .Values.crowdstrikeConfig.clientSecretRef }} - name: "CLIENT_ID" value: {{ .Values.crowdstrikeConfig.clientID }} {{- end }} @@ -56,6 +57,7 @@ spec: - name: "CLIENT_SECRET" value: {{ .Values.crowdstrikeConfig.clientSecret }} {{- end }} + {{- end }} - name: "STORAGE_ENGINE" value: "sqlite" - name: "AGENT_RUN_MODE" @@ -68,15 +70,20 @@ spec: value: {{ .value }} {{- end }} {{- end }} - {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom) -}} + {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom .Values.crowdstrikeConfig.clientSecretRef) -}} envFrom: {{- if .Values.registryConfigs }} - configMapRef: name: {{ include "ra-self-hosted-executor.fullname" . }} {{- end }} - {{- range .Values.executor.additionalSecretEnvFrom }} + {{ if (or .Values.executor.additionalSecretEnvFrom .Values.crowdstrikeConfig.clientSecretRef) -}} - secretRef: + {{- range .Values.executor.additionalSecretEnvFrom }} {{ . | toYaml | indent 16 }} + {{- end }} + {{- if .Values.crowdstrikeConfig.clientSecretRef }} + name: {{ .Values.crowdstrikeConfig.clientSecretRef }} + {{- end }} {{- end }} {{- range .Values.executor.additionalCMEnvFrom }} - configMapRef: @@ -114,6 +121,7 @@ spec: - name: "REGION" value: {{ .Values.crowdstrikeConfig.region }} {{- if .Values.crowdstrikeConfig.clientID }} + {{ if not .Values.crowdstrikeConfig.clientSecretRef -}} - name: "CLIENT_ID" value: {{ .Values.crowdstrikeConfig.clientID }} {{- end }} @@ -121,21 +129,27 @@ spec: - name: "CLIENT_SECRET" value: {{ .Values.crowdstrikeConfig.clientSecret }} {{- end }} + {{- end }} - name: "STORAGE_ENGINE" value: "sqlite" - name: "LOG_LEVEL" value: {{ .Values.executor.logLevel | quote }} - name: "CATALOG_PER_PAGE_RATE" value: {{ .Values.executor.catalogPerPageRate | quote }} - {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom) -}} + {{ if (or .Values.registryConfigs .Values.executor.additionalCMEnvFrom .Values.executor.additionalSecretEnvFrom .Values.crowdstrikeConfig.clientSecretRef) -}} envFrom: {{- if .Values.registryConfigs }} - configMapRef: name: {{ include "ra-self-hosted-executor.fullname" . }} {{- end }} - {{- range .Values.executor.additionalSecretEnvFrom }} + {{ if (or .Values.executor.additionalSecretEnvFrom .Values.crowdstrikeConfig.clientSecretRef) -}} - secretRef: + {{- range .Values.executor.additionalSecretEnvFrom }} {{ . | toYaml | indent 16 }} + {{- end }} + {{- if .Values.crowdstrikeConfig.clientSecretRef }} + name: {{ .Values.crowdstrikeConfig.clientSecretRef }} + {{- end }} {{- end }} {{- range .Values.executor.additionalCMEnvFrom }} - configMapRef: diff --git a/helm-charts/falcon-self-hosted-registry-assessment/values.yaml b/helm-charts/falcon-self-hosted-registry-assessment/values.yaml index 421b3d73..fde741e4 100644 --- a/helm-charts/falcon-self-hosted-registry-assessment/values.yaml +++ b/helm-charts/falcon-self-hosted-registry-assessment/values.yaml @@ -235,6 +235,7 @@ jobController: crowdstrikeConfig: region: "autodiscovery" # autodiscovery, us-1, us-2, eu-1, gov1, or gov2 + # clientSecretRef: "" # use that instead `clientID` and `clientSecret` clientID: "" clientSecret: ""